Cybersecurity researchers in Kaspersky have discovered a new dangerous malicious strain, which, according to them, has been active since at least February 2024.
Nicknamed Sparkkitty, malware is part of Wider Sparkcat family – A range of Trojan horse programs designed to steal cryptocurrency with without distrust users. Kaspersky first discovered the Malware of Sparkcat origin in January 2025, noting that he had already made his way on the Google Play Store and the Apple App Store.
The crooks deceived tiktok users in downloading malware with AI videos
Like many Trojan horses, these malicious applications disguise themselves as a legitimate software. In the world of cryptography, this can be particularly risky. The researchers say that such an Android application, Soex, pretended to be a messaging platform with cryptocurrency trading features. They say it has accumulated more than 10,000 downloads on Google Play before being reported. Kaspersky researchers found a similar application on the IOS app Store, as well as modified versions of the Tiktok application poses as the real thing.
Mashable lighting speed
Sparkkitty is specifically designed to access user photo libraries. The reasoning is that many crypto users have a screenshot their recovery sentences – which are necessary to restore access to their wallets – and store them in their camera rolls. By extracting these images, the attackers can potentially have full access to the cryptographic accounts of the victims.
Malventy software like Sparkkitty is designed to search for images that could be precious for attackers. However, unlike its more targeted predecessor, Sparkcat, Sparkkitty is not particularly selective – it brings together a wide range of images and returns them to attackers, whatever the content, according to a detailed report on List secured by Kapersky.
Although the main concern remains the theft of cryptographic portfolio recovery sentences, wider access to user photo libraries opens the door to other risks, including potential extortion using sensitive or private images. That said, nothing seems to be proof that stolen images have been used for blackmail or similar diagrams.
Kaspersky reports that the malware campaign has mainly targeted users in Southeast Asia and China. Most infected applications were disguised as Chinese games, Tiktok clones and adult entertainment applications, all adapted to users of these regions.
