Crypto users are facing another sophisticated threat, this time disguised in legitimate-looking apps on official app stores.
TL;DR
- A newly discovered malware called SparkKitty has been stealing images from infected phones, searching for crypto seed phrases.
- Unlike past threats, SparkKitty was found in official App Store and Google Play apps, disguised as crypto-related tools.
- Apple and Google have removed the apps, but cybersecurity experts warn that similar campaigns are likely ongoing.
Cybersecurity researchers at Kaspersky have identified SparkKitty, a newly discovered strain of spyware that systematically steals photos from infected phones. The target: screenshots of crypto seed phrases and sensitive wallet details. Unlike most malware circulating in shady APKs or scam links, SparkKitty was embedded in two separate apps on official platforms, giving the campaign a dangerous edge in credibility.
1) Messaging App with Crypto Features (Google Play)
The first confirmed SparkKitty host was a messaging app with built-in crypto exchange features, distributed via Google Play. The app quietly gained over 10,000 installs before researchers flagged it for malicious behavior.
Source : Kaspersky report.
By positioning itself as a communication tool with crypto integrations, the app appealed directly to crypto-curious users. Once installed, it requested access to photos and media, standard for messaging apps, but in this case, that access was exploited to sweep the entire photo gallery.
Kaspersky warned in its report
2) “币coin” Portfolio Tracker (iOS)
The second app identified was an iOS app named “币coin,” designed to look like a harmless portfolio tracker. It was listed on the Apple App Store before being pulled down after disclosure by security teams.
Source : Kaspersky report.
Fake portfolio trackers are a favorite trick for spyware developers, especially as more crypto holders rely on mobile apps to monitor balances. By posing as a financial tool, SparkKitty used this app to quietly exfiltrate users’ private screenshots.
Both apps have now been removed from official stores, but Kaspersky believes the campaign may have been live since early 2024.
How to Stay Safe
Here’s how to avoid falling victim to spyware like this:
-
Never store seed phrases as screenshots, use paper backups stored securely offline.
-
Be skeptical of unfamiliar crypto apps, even on official platforms.
-
Check app permissions, if a portfolio tracker wants photo access, that’s a red flag.
-
Use mobile antivirus/security apps to catch threats early.
-
Audit your installed apps regularly and delete anything unnecessary.
Final Thought
For crypto holders, screenshots of seed phrases are one of the riskiest habits you can have. Mobile malware is heavily evolving and it’s actively disguising itself in the very apps users trust most. The safest seed phrase is the one never stored on your phone.
