Cybersecurity firm Kaspersky has revealed a new strain of mobile malware named SparkKitty, targeting both iOS and Android devices via official and unofficial app distribution channels. This dangerous Trojan is capable of exfiltrating photos from infected devices and may capture sensitive cryptocurrency wallet information.

SparkKitty has been found embedded within apps on both the Apple App Store and Google Play Store, as well as on fraudulent websites. Some affected apps include crypto tools, gambling utilities, and even a trojanized version of TikTok. In one instance, a bogus application called “币coin” on the App Store posed as a legitimate crypto service. On Android, a messenger app with a crypto-exchange feature—“SOEX”—was downloaded more than 10,000 times before Kaspersky’s warning.

Once installed, SparkKitty requests permission to access the user’s photo gallery. It then scans images using optical character recognition (OCR), sending photographs and device information to attackers. Researchers believe its primary goal is to steal cryptocurrency by extracting wallet recovery phrases or passwords from screenshots. The malware bears close resemblance to an earlier Trojan, SparkCat, notorious for stealing crypto credentials via image scanning.

On iOS, the Trojan appeared both as a fake App Store app and through phishing sites mimicking Apple’s developer enterprise provisioning process. Users were tricked into installing apps requiring developer certificates, granting deeper access to personal data. Once launched, infected apps also embedded links to a suspicious store requiring cryptocurrency payments.

Android distribution was similar, with malware hidden in both official store apps and APKs on third-party websites. Some were advertised via social media such as YouTube. Users who downloaded “SOEX” inadvertently installed the spyware, which quietly harvested photos from their galleries.

While targeting users in Southeast Asia and China, Kaspersky warns the campaign may threaten global users, including those in South Africa. The malware’s reach was extensive; certain infected Android apps garnered over 242,000 downloads before removal.

Experts explain that SparkKitty combines legitimate app functionality with covert data harvesting—operating without noticeable signs of infection. It leverages machine learning-enabled OCR to stealthily identify critical data within images, a tactic that helped it evade detection in store vetting processes.

Kaspersky has alerted both Apple and Google, who have reportedly removed affected apps from their stores. Nevertheless, users are urged to uninstall any suspicious software. Kaspersky advises avoiding screenshots containing sensitive content, especially wallet seed phrases, and recommends the use of cybersecurity tools like Kaspersky Premium, along with password managers to safeguard critical data.

This incident marks the second time an OCR-based Trojan has infiltrated the App Store—the first being SparkCat earlier this year. It highlights a troubling trend: malware authors adopting machine learning techniques to widen the scope of mobile attacks and target user privacy more effectively.

In light of this threat, users are urged to remain vigilant. Only official app versions should be installed, photo galleries should be protected, and robust security software should be used. This episode underlines the evolving complexity of mobile threats—merging social engineering, legitimate store distribution, and AI-powered extraction—to compromise user trust and security.