Malware detected on Google Play Store and Apple's App Store steals saved photos

Dangerous malware has been detected on both the Google Play Store and Apple's App Store. Researchers have dubbed the nasty piece of software "SparkKitty."

2

The cybersecurity researchers at Kaspersky discovered SparkKitty in January 2025 and explained the malware uses optical character recognition to scan through an infected device's photos to harvest any relevant data that can help with deciphering a cryptocurrency wallet recovery phrase.

The idea behind this strategy by the malware creators is to stumble upon a screenshot or a photo of a user's cryptocurrency recovery phrase within their gallery. Most cryptocurrency exchanges tell users to write down their recovery phrase after their wallet is created. Most users promptly do this and then take a quick photo of the phrase in case the piece of paper is lost or simply for quick access to the phrase.

Unfortunately, Kaspersky says that SparkKitty has been actively distributed across the Google Play Store and Apple App Store since February 2025, and has made its way into devices via unofficial channels as well. Luckily, the infected apps used as vehicles for this malware have since been removed from the app marketplaces, with one of the apps being SOEX, which was downloaded more than 10,000 times on the Play Store.

Once one of the infected apps was downloaded, it would request editing access to the device's image library, and once granted permission to access the library, it would begin its scanning process. Additionally, the malware would re-scan the library if it detected new images had been added.