SparkKitty Spyware Targets Photos on iPhone and Android

A new and dangerous form of spyware known as SparkKitty is targeting both iPhone and Android users through seemingly legitimate apps found not only on unofficial websites but also in the Apple App Store and Google Play Store. These apps quietly steal photos from infected devices — and in some cases, they’re specifically hunting for sensitive financial information.

The campaign has been active since early 2024 and is believed to be linked to a previous malware strain called SparkCat. Researchers say the new variant uses tactics like disguising itself as well-known networking libraries (such as AFNetworking and Alamofire on iOS) or using fake versions of legitimate Android apps to trick users into installing it.

Once installed, SparkKitty seeks access to your device’s photo gallery. On Android, it typically asks for storage permissions; on iOS, it requests photo access during app launch. While it might appear to be just another privacy invasion, the malware’s intent is far more focused — it uses image recognition to scan for photos containing seed phrases from cryptocurrency wallets.

Crypto Wallets in the Crosshairs

These seed phrases are crucial for accessing crypto funds. If they fall into the wrong hands, a hacker can drain a wallet without needing any passwords or two-factor authentication. Unfortunately, users who take screenshots of these phrases — a common mistake — are at high risk.

Some of the malicious apps include a crypto-focused messaging app called SOEX (formerly available on Google Play), and another called 币coin (formerly available on the App Store). Both were designed to appear useful, especially to users interested in crypto, but secretly exfiltrated personal images.

Other infected apps were disguised as TikTok clones, gambling games, or even shopping platforms accepting cryptocurrency. Many of these were distributed outside of official app stores through scam websites and misleading ads. On iOS, attackers even abused Apple’s enterprise provisioning system — normally intended for internal business apps — to install these fake apps on users’ devices without App Store approval.

Fig 1. SparkKitty disguised as TikTok being installed (Source:SecureList)

How the Malware Operates

Once running, the spyware sends your photos — and identifying details about your phone — to command-and-control (C2) servers. In many cases, it doesn’t stop after the first upload: it monitors the gallery for changes and continues stealing any new images taken while the app is active.

This malware campaign isn’t just targeting a specific region or device — anyone could be affected. However, researchers noted the apps often targeted users in Southeast Asia and China, particularly those interested in crypto trading or gambling.

How to Protect Yourself

To stay safe, avoid sideloading apps (installing apps from outside official stores), and only download apps from well-known developers. Check for reviews and be cautious of apps with vague or overly positive ratings. Even legitimate-looking apps can be compromised.

On Android, ensure Google Play Protect is turned on. For iPhone users, stick to the App Store and be skeptical of apps asking for access to your photo library — especially if the reason isn’t clear.

Most importantly, never take a screenshot of your crypto wallet seed phrase. Instead, write it down on paper and store it securely, such as in a locked safe. Screenshots, while convenient, are a goldmine for hackers using tools like SparkKitty.

This campaign shows how even photos on your device can become a cybersecurity risk. Thinking twice before downloading a new app — and treating your private data like a treasure — is more important than ever.