Unmasking SparkKitty: The Stealthy Seed-Phrase Stealer Threatening iOS and Android Wallets

Main Points:

• Emergence and Evolution of SparkKitty
• Infection Vectors and Distribution
• Technical Anatomy and OCR Exploitation
• Impact on Cryptocurrency Holders
• Mitigation Strategies and Best Practices
• Future Outlook on Mobile Malware

Emergence and Evolution of SparkKitty

Kaspersky first identified SparkKitty in January 2025 as the successor to the SparkCat OCR stealer. Unlike its predecessor, SparkKitty demonstrates improved stealth and broader targeting, focusing on both iOS and Android platforms. Researchers note that this marks the second time a trojan stealer has infiltrated Apple’s App Store, following SparkCat earlier that year.

SparkKitty’s rapid development cycle suggests a dedicated threat actor or group refining its toolkit to maximize data exfiltration. Initial infections appeared in early 2025, and since then, variants have been discovered embedded within apps masquerading as cryptocurrency utilities, casino games, messenger platforms, and even fake TikTok clones.

Infection Vectors and Distribution

SparkKitty propagates through three primary channels:

1. Official App Stores:
   • Google Play: The “SOEX” messenger app, bundling crypto features, amassed over 10,000 installations before removal.
   • App Store: “币coin,” a crypto tracking app, contained the trojan via an obfuscated framework.
2. Sideloaded/Phishing Websites:
   • Trojanized TikTok and gambling apps distributed through fake web portals exploiting enterprise provisioning on iOS.
3. Unofficial Third-Party Stores:
   • Scam repositories and underground APK sites continue to host undetected SparkKitty variants.

Based on analysis of Kaspersky and Tom’s Guide, estimated distribution percentages are displayed below:

Technical Anatomy and OCR Exploitation

SparkKitty leverages granted photo-library permissions to scan and exfiltrate images regularly. Employing Google’s ML Kit for optical character recognition (OCR), it parses screenshots for wallet seed phrases and financial credentials.

• iOS Implementation:
  • Masquerades as legitimate frameworks (e.g., AFNetworking, Alamofire) or obfuscated dylibs (e.g., libswiftDarwin.dylib).
  • Exploits enterprise provisioning profiles to bypass App Store restrictions.
• Android Implementation:
  • Utilizes Kotlin-based Xposed modules for deep system integration.
  • Communicates with command-and-control (C2) via AES-encrypted channels.

Recent variants broaden their scope beyond cryptocurrency data, targeting personal identification documents, payment card images, and two-factor authentication (2FA) screenshots.

Impact on Cryptocurrency Holders

Seed phrases are the ultimate keys to non-custodial wallets. As of June 26, 2025, Bitcoin traded around $107,000 per BTC. A compromised wallet containing even a single BTC could thus incur a loss exceeding $107,000.

Attackers can automate fund sweeps once they harvest seed phrases, emptying wallets instantly. Reports indicate targeted thefts primarily affected users in Southeast Asia and China, where SparkKitty-laden apps saw higher download volumes.

Beyond direct financial loss, victims face the challenge of detecting such breaches, often only realizing after unexplained wallet drains. This erodes trust in mobile crypto management and may drive investors toward hardware or multisig solutions.

Mitigation Strategies and Best Practices

To safeguard assets:

• Download from Trusted Sources: Only use official App Store and Google Play, and verify developer credentials.
• Review Permissions Closely: Be wary of apps requesting broad gallery or device access without clear justification.
• Avoid Sideloading: Reject unofficial APKs or enterprise-profile installations unless absolutely necessary.
• Use Dedicated Security Software: Enable Google Play Protect on Android and consider reputable mobile antivirus tools.
• Secure Seed Phrases Offline: Never store seeds as screenshots or digital notes; use hardware devices or paper in a secure location.

Educating friends and family about suspicious behaviors—such as unexpected permission pop-ups—can strengthen collective defense.

Future Outlook on Mobile Malware

The rise of ML-driven OCR within SteinKitty underscores a broader trend: adversaries weaponizing AI to automate sensitive data extraction. As mobile platforms evolve, we expect next-generation stealers to blend even deeper into system processes and exploit emerging distribution channels like in-app ad networks.

Mobile OS vendors must tighten supply-chain security, and app stores have to improve vetting around third-party libraries. For end users, proactive vigilance and diversification of custody solutions remain paramount.

Conclusion

SparkKitty exemplifies the growing sophistication of mobile malware targeting cryptocurrency assets. By combining stealthy distribution via official channels, powerful OCR capabilities, and broad device infiltration techniques, it poses a severe threat to non-custodial wallet users. However, with informed security practices—restricting app sources, minimizing permissions, and safeguarding seed phrases offline—investors can significantly reduce exposure. As mobile threats continue to evolve, maintaining a layered defense and staying updated on emerging risks will be essential for preserving digital wealth.