Storing Wallet Details or Seed Phrases as Photos? This Sneaky Trojan Could Drain Your Crypto

Your smartphone's camera roll just became a hacker's treasure map.

Security researchers have uncovered a new Android Trojan specifically designed to scan for—and steal—cryptocurrency wallet details stored as screenshots or photos. The malware bypasses basic security measures, hunting for seed phrases, private keys, and exchange login credentials.

How it works:

The malware disguises itself as a legitimate app (often fake wallet cleaners or 'performance boosters'). Once installed, it scans device storage for images containing crypto-sensitive data—no fancy exploits needed. Old-school social engineering meets digital pickpocketing.

Why this hurts:

Unlike exchange hacks that make headlines, these thefts fly under the radar—blamed on 'user error.' Victims rarely recover funds, and insurers laugh at claims. (Try explaining a six-figure JPEG oopsie to Lloyd's of London.)

The irony? Most victims backed up their seed phrases digitally 'for security.' A reminder that in crypto, the safest-looking options often carry the most risk—almost like those 'stable' algorithmic coins from 2022.

At the Core of the iOS variant is a weaponized version of the AFNetworking or Alamofire framework, where attackers embedded a custom class that auto-runs on app launch using Objective-C’s +load selector.

On startup, it checks a hidden configuration value, fetches a command-and-control (C2) address, and scans the user’s gallery and begins uploading images. A C2 address instructs the malware on what to do, such as when to steal data or send files, and receives the stolen information back.

The Android variant utilizes modified Java libraries to achieve the same goal. OCR is applied via Google ML Kit to parse images. If a seed phrase or private key is detected, the file is flagged and sent to the attacker’s servers.

Installation on iOS is done through enterprise provisioning profiles, or a method meant for internal enterprise apps but often exploited for malware.

Victims are tricked into manually trusting a developer certificate linked to “SINOPEC SABIC Tianjin Petrochemical Co. Ltd.,” giving SparkKitty system-level permissions.

Several C2 addresses used AES-256 encrypted configuration files hosted on obfuscated servers.

Once decrypted, they point to payload fetchers and endpoints, such as/api/putImages and /api/getImageStatus, where the app determines whether to upload or delay photo transmissions.

Kaspersky researchers discovered other versions of the malware utilizing a spoofed OpenSSL library (libcrypto.dylib) with obfuscated initialization logic, indicating an evolving toolset and multiple distribution vectors.

While most apps appear to be targeted at users in China and Southeast Asia, nothing about the malware limits its regional scope.

Apple and Google have taken down the apps in question following disclosure, but the campaign has likely been active since early 2024 and may still be ongoing through side loaded variants and clone stores, researchers warned.