Cryptocurrency has promised us freedom: freedom from traditional banking, middlemen, and even government oversight. But with freedom comes responsibility and increasingly, danger. You might think you’re safe because you’re using an iPhone. After all, Apple is known for its tight security. But a newly discovered malware named SparkKitty is proving that assumption dangerously wrong.
In this post, I’ll break down what SparkKitty is, how it works on both Android and iOS, why it’s different from previous threats, and what you need to do right now to protect your crypto assets.
Your business maybe at risk, click to schedule a free consultation.
Table of Contents
What Is SparkKitty?
SparkKitty is a cross-platform mobile malware designed to steal cryptocurrency wallet recovery phrases. If you’ve ever used a crypto wallet, you know that seed phrases (usually 12 to 24 words) are the holy grail. Anyone with access to it can restore your wallet and drain your funds.
This malware is an evolution of an earlier variant called SparkCat, which used Optical Character Recognition (OCR) to scan images on infected devices for text containing seed phrases. SparkKitty, however, steps things up by using AI, advanced execution methods, and selective targeting to exfiltrate only the most valuable data, and it does so under your nose.
Why It's a Big Deal Even for iPhone Users
iOS users have long believed they’re safer from malware, but SparkKitty breaks that illusion. Unlike many threats confined to Android, SparkKitty runs stealthily on both platforms, using platform-specific tricks to stay hidden and effective.
Let’s compare what it does on Android vs. iOS:| Feature | Android | iOS |
|---|---|---|
| Execution Trigger | On app launch or UI interaction | Uses Objective-C +load method to auto-run at app start |
| Frameworks Used | Java/Kotlin apps; Xposed/LSPosed modules | Native Objective-C apps |
| Config Retrieval | AES-256 (ECB mode) decrypted remote file | Conditional execution based on Info.plist keys |
| Permissions | Requests storage access | Requests photo gallery access |
| Data Stolen | Images, metadata, device ID | New and old images from gallery |
| OCR Filtering | Uses Google ML Kit to upload only images with text | Unknown, but likely passive scanning of gallery |
As you can see, no device is truly safe.
How Does SparkKitty Work?
image-exfiltration-on-ios-variant-sparkkitty
The malware is usually embedded in apps that look harmless even useful. These apps have managed to bypass both Google Play and Apple App Store review systems, which is alarming in itself.
Here’s how the infection and theft process typically works:
You install a malicious app that appears to serve a legitimate function (e.g., gallery editor, VPN, crypto portfolio tracker).
The app requests access to your storage or gallery.
Once access is granted, the malware:
Monitors the gallery for changes.
Uploads previously stored images.
Uses OCR (Optical Character Recognition) to scan images for seed phrases.
Sends relevant data (images, device IDs, metadata) to an external Command and Control (C2) server.
What makes this scarier is that SparkKitty doesn’t just mass upload everything. It uses Google’s ML Kit OCR engine to only upload images that contain text, making the malware stealthier, faster, and more efficient.
image-exfiltration-logic-on-android-sparkkitty
source: kapersky
User Behavior Is Helping Hackers
Let’s be honest: how many of us have taken a screenshot of our seed phrase “just in case”? Even though most wallets warn us not to, the temptation to quickly save the phrase digitally is common.
Here’s why that’s dangerous:
| User Action | Risk Level | Why |
|---|---|---|
| Taking a screenshot of seed phrase | Extreme | Stored in gallery, easy for malware to find |
| Saving seed in Notes app | Extreme | Exposed to cloud sync, local malware |
| Writing on paper and photographing | Extreme | Image can be stolen just like a screenshot |
| Using password manager | Moderate | Safer, but depends on the tool used |
| Writing seed on paper and locking it away | Safe | No digital exposure |
SparkKitty relies on you making just one of these mistakes.
How It Bypassed Apple and Google
You might wonder: how did such a sophisticated malware make it onto official app stores?
On Android, attackers used modular design with Xposed/LSPosed to hook into the system dynamically. These frameworks are often found on rooted or customized devices.
On iOS, the malware used Objective-C runtime injection via
+load, which executes even before the main app function runs.Both platforms used encrypted remote configurations, meaning the app’s true behavior could be hidden during app review and only activated post-installation.
This highlights a major weakness in app store security: dynamic, remote-configured behavior is nearly impossible to fully vet before apps go live.
What You Can Do to Protect Yourself
Do This Immediately:
Delete any crypto-related apps you don’t 100% trust.
Review photo gallery permissions on your phone.
Use a hardware wallet for long-term storage.
Revoke unnecessary storage or gallery access for all apps.
Avoid This at All Costs:
Never screenshot your seed phrase.
Don’t store recovery phrases in notes, cloud services, or messaging apps.
Don’t install sketchy apps from app stores—read reviews and check the publisher.
Watch for Red Flags:
Apps that ask for gallery access when it’s not core to their function.
Sudden requests for permissions after installation.
Unknown apps consuming data in the background.
Final Thoughts: Trust Is No Longer Enough
We’re at a point where trusting Google Play or the App Store isn’t enough. Malware authors are getting smarter, using AI, encryption, and modular design to evade detection and strike at the heart of digital self-custody: your seed phrase.
If you’re serious about crypto security, it’s time to ditch lazy habits and level up your OPSEC (Operational Security). Remember: it only takes one screenshot for you to lose everything.
SparkKitty is proof that your phone, yes, even your iPhone, might already be a spy in your pocket.
Stay alert. Stay private. And don’t take that screenshot.
Secure Your Business in 3 Simple Steps!
At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!
Some of the things people reach out to us for –
- Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
- Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
- DevSecOps consulting
- Red Teaming activity
- Regular security audits, before product release
- Full time security engineers.
Relevant Posts
Your Crypto Wallet Isn’t Safe -Even on iPhone. Here’s Why
Even iPhone users aren’t safe. A new malware named SparkKitty is using AI and gallery access to steal crypto wallet seed phrases silently from your phone.
Fortinet CVE-2023-42788: OS Command Injection Vulnerability
Fortinet’s CVE-2023-42788 affects multiple products, enabling OS command injection. Learn about the risks and key mitigation steps to protect your systems.
New Wireshark Vulnerability Triggers DoS Attack: What You Need to Know (CVE-2025-5601)
A high-severity DoS vulnerability in Wireshark (CVE-2025-5601) could crash the tool via malformed packets or malicious capture files. This flaw impacts millions and underscores the need for urgent patching and safe handling of .pcap files.
Steganography in Cybercrime: How Hackers Hide Malware in Plain Sight
Hackers are turning to an ancient technique, steganography to hide malware inside everyday files like images and audio. This blog explores how malicious code is concealed in plain sight, including a shocking WhatsApp scam where a man lost ₹2 lakh to a seemingly innocent image.
WhatsApp Image Scam: WhatsApp Images Could Be Cyber Traps!
Think twice before opening that WhatsApp image cybercriminals are now hiding malware inside photos using advanced techniques like steganography. In this blog, I break down how one victim lost ₹2 lakh from a single download, and how you can stay safe with simple, actionable steps.
Critical Zero-Day in FortiVoice Patched by Fortinet After Active Exploits
Fortinet has patched a critical zero-day vulnerability (CVE-2025-32756) exploited in active attacks targeting FortiVoice and other products like FortiMail and FortiCamera. The flaw allowed remote code execution via crafted HTTP requests, with attackers deploying malware and harvesting credentials before the fix was released.