Once again, App Store and Google Play filters failed to catch a trojan aimed at crypto users, targeting screenshots of their seed phrases.
Experts at cybersecurity firm Kaspersky say they've found a malicious campaign, dubbed SparKitty. It has been active since at least February 2024 and might be related to the SparCat spyware campaign uncovered in January 2025.
Malicious apps discovered by the experts now seem to have been removed from the App Store and Google Play, though the extent of the damage to crypto users is unknown. The research has shown that the attackers primarily targeted users in Southeast Asia and China, spreading malware through Chinese gambling games, TikTok, adult games, and crypto-related apps.
The campaign was designed to steal images, especially those containing crypto seed phrases, usually a 12–24-word combination that gives access to a crypto wallet.
At first, the experts found that iOS users were being tricked into downloading a malicious app by exploiting the Apple Developer Program and Apple Enterprise profiles.
"Although the Apple Developer Program requires a paid membership and developer verification by Apple, Enterprise profiles are often exploited. They are used not only by developers of apps unsuitable for the App Store (online casinos, cracks, cheats, or illegal mods of popular apps) but also by malware creators," Kaspersky said.
In this case, the criminals distributed a fake TikTok app that requested access to the user’s photo gallery, which is very unusual for TikTok users. Later, multiple crypto and casino-related Android apps with malicious code embedded in their entry points were also found.
For example, one Android Java app, SOEX, with a malicious payload, was installed by Google Play users more than 10,000 times. It was pretending to be a messaging app with crypto exchange features. Meanwhile, another malicious app, 币coin, was also found on the App Store.
The security researchers said they've also found "a significant number" of pages offering various scam iOS apps for download in the PWA (progressive web app) format, and their code was very similar to the pages distributing the malicious TikTok version. Further investigation helped uncover social media ads for various scams and Ponzi schemes on popular platforms.
"Threat actors are still actively compromising official app stores, and not just for Android – iOS is also a target. The espionage campaign we uncovered uses various distribution methods: it spreads through apps infected with malicious frameworks/SDKs from unofficial sources, as well as through malicious apps directly on the App Store and Google Play," Kaspersky concluded.
Your email address will not be published. Required fields are markedmarked