Bad actors constantly seek every bit of personal information they can get, from your phone number to your government ID. Now, a new threat targets both Android and iPhone users: SparkKitty, a powerful mobile malware strain that scans private photos to steal cryptocurrency recovery phrases and other sensitive data.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM/NEWSLETTER.
A new threat targets both Android and iPhone users. (Apple)
What is SparkKitty mobile malware
Researchers at cybersecurity firm Kaspersky recently identified SparkKitty. This malware appears to succeed SparkCat, a campaign first reported earlier this year that used optical character recognition (OCR) to extract sensitive data from images, including crypto recovery phrases.
SparkKitty goes even further than SparkCat. According to Kaspersky, SparkKitty uploads images from infected phones without discrimination. This tactic exposes not just wallet data but also any personal or sensitive photos stored on the device. While the main target seems to be crypto seed phrases, criminals could use other images for extortion or malicious purposes.
Kaspersky researchers report that SparkKitty has operated since at least February 2024. Attackers distributed it through both official and unofficial channels, including Google Play and the Apple App Store.
SparkKitty uploads images from infected phones without discrimination. (Kurt "CyberGuy" Knutsson)
How SparkKitty malware infects Android and iPhone devices
Kaspersky found SparkKitty embedded in several apps, including one called 币coin on iOS and another called SOEX on Android. Both apps are no longer available in their respective stores. SOEX, a messaging app with cryptocurrency-related features, reached more than 10,000 downloads from the Google Play Store before its removal.
On iOS, attackers deliver the malware through fake software frameworks or enterprise provisioning profiles, often disguised as legitimate components. Once installed, SparkKitty uses a method native to Apple’s Objective-C programming language to run as soon as the app launches. It checks the app’s internal configuration files to decide whether to execute, then quietly starts monitoring the user’s photo library.
On Android, SparkKitty hides in apps written in Java or Kotlin and sometimes uses malicious Xposed or LSPosed modules. It activates when the app launches or after a specific screen opens. The malware then decrypts a configuration file from a remote server and begins uploading images, device metadata, and identifiers.
On iOS, attackers deliver the malware through fake software frameworks or enterprise provisioning profiles. (Apple)
Why SparkKitty is more dangerous than previous malware
Unlike traditional spyware, SparkKitty focuses on photos, especially those containing cryptocurrency recovery phrases, wallet screenshots, IDs, or sensitive documents. Instead of just monitoring activity, SparkKitty uploads images in bulk. This approach makes it easy for criminals to sift through and extract valuable personal data.
4 ways to protect your phone from SparkKitty mobile malware
1) Stick to trusted developers: Avoid downloading obscure apps, especially if they have few reviews or downloads. Always check the developer’s name and history before installing anything.
2) Review app permissions: Be cautious of apps that request access to your photos, messages, or files without a clear reason. If something feels off, deny the permission or uninstall the app.
3) Keep your device updated: Install system and security updates as soon as they are available. These updates often patch vulnerabilities that malware can exploit.
4) Use mobile security software: The best way to safeguard yourself from malicious software is to have strong antivirus software installed on all your devices. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices by visiting CyberGuy.com/LockUpYourTech.
Kurt’s key takeaway
Both Apple and Google removed the identified apps after being alerted, but questions remain about how SparkKitty bypassed their app review processes in the first place. As app stores grow, both in volume and complexity, the tools used to screen them will need to evolve at the same pace. Otherwise, incidents like this one will continue to slip through the cracks.
Do you think Google and Apple are doing enough to protect users from mobile malware and evolving security threats? Let us know by writing to us at Cyberguy.com/Contact.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM/NEWSLETTER.
Copyright 2025 CyberGuy.com. All rights reserved.