卡巴斯基的研究人员发现了一种名为SparkKitty的新型恶意软件，自2024年2月以来一直在活动。该恶意软件属于SparkCat家族，旨在窃取用户的加密货币。SparkKitty伪装成合法软件，尤其是针对加密货币用户，窃取他们的照片库。它主要针对东南亚和中国的用户，伪装成赌博游戏、TikTok克隆和成人娱乐应用程序。与之前的SparkCat不同，SparkKitty不具有选择性，会收集各种图像，增加了用户面临的风险，如勒索等。

📸 SparkKitty是一种新型恶意软件，属于SparkCat家族，主要目标是窃取用户的加密货币。

📱 SparkKitty伪装成合法软件，例如Android上的SOEX应用程序，冒充具有加密货币交易功能的即时通讯平台。它也出现在iOS应用商店中，以及伪装成TikTok的修改版本。

🖼️ SparkKitty专门设计用于访问用户的照片库，因为许多加密货币用户会将恢复短语的截图存储在相册中。通过提取这些图像，攻击者可以完全访问受害者的加密货币账户。

🌎 该恶意软件主要针对东南亚和中国的用户，伪装成赌博游戏、TikTok克隆和成人娱乐应用程序。

Cybersecurity researchers at Kaspersky have uncovered a new and dangerous malware strain, which they believe has been active since at least Feb. 2024.

Dubbed SparkKitty, the malware is part of the broader SparkCat family — a line of Trojan horse programs designed to steal cryptocurrency from unsuspecting users. Kaspersky first discovered the original SparkCat malware in Jan. 2025, noting that it had already made its way onto both the Google Play Store and Apple’s App Store.

Like many trojans, these malicious apps disguise themselves as legitimate software. In the crypto world, this can be especially risky. The researchers say that one such Android app, SOEX, posed as a messaging platform with cryptocurrency trading features. They say it racked up more than 10,000 downloads on Google Play before being flagged. Kaspersky researchers found a similar app on the iOS app store, as well as modified versions of the TikTok app posing as the real thing.

SparkKitty is specifically engineered to access users’ photo libraries. The reasoning being that many crypto users screenshot their recovery phrases — which are needed to restore access to their wallets — and store them in their camera rolls. By extracting these images, attackers can potentially gain full access to victims’ crypto accounts.

Malware like SparkKitty is built to scan for images that could be valuable to attackers. However, unlike its more targeted predecessor, SparkCat, SparkKitty isn’t especially selective — it scoops up a broad range of images and sends them back to the attackers, regardless of content, according to a detailed report on Secure List by Kapersky.

While the primary concern remains the theft of crypto wallet recovery phrases, broader access to users’ photo libraries opens the door to other risks, including potential extortion using sensitive or private images. That said, there appears to be no evidence that the stolen images have been used for blackmail or similar schemes.

Kaspersky reports that the malware campaign has primarily targeted users in Southeast Asia and China. Most of the infected apps were disguised as Chinese gambling games, TikTok clones, and adult entertainment apps, all tailored to users in those regions.