Warning: Storing Wallet Details or Seed Phrases as Photos? This Sneaky Trojan Could Drain Your Crypto

Your phone's camera roll just became a hacker's goldmine. A new breed of malware is targeting crypto holders who snap pics of sensitive wallet info—turning convenience into catastrophe.

How the attack works

The trojan lurks in seemingly harmless apps, scanning galleries for wallet addresses and recovery phrases. Once identified, it beams the data straight to attackers faster than a Bitcoin maximalist dismissing altcoins.

Security experts warn this marks a dangerous evolution in crypto-targeting malware—one that exploits our lazy security habits better than a shitcoin exploits FOMO.

Protect yourself

• Never store seed phrases digitally (yes, even in 'hidden' folders)
• Use encrypted password managers for wallet details
• Enable 2FA on all exchange accounts

Remember: In crypto, your paranoia should always outpace your greed. Because while the blockchain never forgets, hackers never forgive.

At the Core of the iOS variant is a weaponized version of the AFNetworking or Alamofire framework, where attackers embedded a custom class that auto-runs on app launch using Objective-C’s +load selector.

On startup, it checks a hidden configuration value, fetches a command-and-control (C2) address, and scans the user’s gallery and begins uploading images. A C2 address instructs the malware on what to do, such as when to steal data or send files, and receives the stolen information back.

The Android variant utilizes modified Java libraries to achieve the same goal. OCR is applied via Google ML Kit to parse images. If a seed phrase or private key is detected, the file is flagged and sent to the attacker’s servers.

Installation on iOS is done through enterprise provisioning profiles, or a method meant for internal enterprise apps but often exploited for malware.

Victims are tricked into manually trusting a developer certificate linked to “SINOPEC SABIC Tianjin Petrochemical Co. Ltd.,” giving SparkKitty system-level permissions.

Several C2 addresses used AES-256 encrypted configuration files hosted on obfuscated servers.

Once decrypted, they point to payload fetchers and endpoints, such as/api/putImages and /api/getImageStatus, where the app determines whether to upload or delay photo transmissions.

Kaspersky researchers discovered other versions of the malware utilizing a spoofed OpenSSL library (libcrypto.dylib) with obfuscated initialization logic, indicating an evolving toolset and multiple distribution vectors.

While most apps appear to be targeted at users in China and Southeast Asia, nothing about the malware limits its regional scope.

Apple and Google have taken down the apps in question following disclosure, but the campaign has likely been active since early 2024 and may still be ongoing through side loaded variants and clone stores, researchers warned.