A sophisticated new mobile malware strain dubbed SparkKitty has been discovered infecting devices via apps downloaded from both the official Google Play Store and the Apple App Store, in addition to unofficial channels. This dangerous spyware targets both Android and iOS users, primarily aiming to steal images stored on infected devices, with a suspected focus on cryptocurrency-related data.
Researchers believe SparkKitty is an evolution of SparkCat, a malware found earlier that specifically used Optical Character Recognition (OCR) to scan images for sensitive text like crypto wallet recovery phrases. While some SparkKitty variants still employ OCR technology, the newer malware typically takes a broader approach, attempting to steal all images from a device’s photo gallery.
Access to a user’s photo library can have severe consequences. Beyond the suspected primary goal of snatching cryptocurrency seed phrases (often mistakenly saved as screenshots), stolen images could contain personal or sensitive content used for other malicious purposes, such as extortion.
How SparkKitty Spreads
The SparkKitty campaign has been active since at least February 2024, successfully infiltrating multiple distribution channels:
Official App Stores: Malware-laden apps managed to bypass review processes on both Google Play and the Apple App Store. Notable examples identified by Kaspersky include:
SOEX on Google Play: A messaging app falsely offering cryptocurrency exchange features. It had been downloaded over 10,000 times before Google removed it and banned the developer.
币coin on the Apple App Store: A crypto information app found to contain the malware payload. Apple was notified, and the app was subsequently removed.
The presence of such threats in official, trusted marketplaces highlights the ongoing challenge of keeping these platforms entirely clean.
Unofficial Channels: SparkKitty is also widely distributed outside of official stores through various deceptive means:
Modded Apps: Trojanized versions of popular apps like TikTok, often embedding links to fake online cryptocurrency stores or scam sites.
Scam Websites: Websites mimicking official app stores or promoting fake investment schemes (like PWA apps or Ponzi schemes), often targeting users in Southeast Asia and China.
Malicious Apps: Embedding the malware in fake gambling apps, adult-themed games, and other apps distributed through third-party sites and advertised on social media platforms like YouTube.
Technical Sneakiness
The malware’s implementation varies between platforms:
On iOS: SparkKitty is often disguised as legitimate software frameworks (like AFNetworking.framework or libswiftDarwin.dylib) or delivered via enterprise provisioning profiles, allowing installation outside the App Store. It uses subtle code execution methods triggered automatically when the app starts. It requests photo gallery access and monitors for new or modified images, exfiltrating them to attacker servers.
On Android: Embedded in standard Java/Kotlin apps, sometimes utilizing malicious Xposed/LSPosed modules. The malware triggers upon app launch or specific user actions. It requests storage permissions to access photos. Once granted, it uploads gallery images along with device information. While it often grabs all images, some Android versions specifically use Google ML Kit OCR to filter and upload only images containing significant text, echoing its SparkCat predecessor.
The malware retrieves and decrypts configuration files to find Command-and-Control (C2) server addresses used for communication and data exfiltration.
The Critical Risk: Storing Seed Phrases as Photos
One of the primary targets for SparkKitty is users who store their cryptocurrency wallet recovery phrases (seed phrases) as screenshots or photos on their mobile devices. While convenient, this practice is highly insecure. Access to this phrase is equivalent to having the keys to your crypto wallet, allowing attackers to steal all stored assets from anywhere. SparkKitty actively exploits this vulnerability.
Protecting Your Devices and Digital Assets
The appearance of SparkKitty underscores the need for constant vigilance. Here’s how to protect yourself:
Never Store Sensitive Information as Images: Absolutely avoid keeping photos or screenshots of cryptocurrency seed phrases, passwords, bank details, or other confidential information in your phone’s gallery. Use secure, offline methods or reputable, encrypted password managers/vaults instead.
Scrutinize App Permissions: Be extremely cautious of apps requesting access to your photo gallery or storage, especially if it’s not essential for the app’s core function (e.g., why would a calculator need gallery access?). Deny unnecessary permissions.
Research Apps Before Installing: Don’t blindly trust apps, even those on official stores. Check developer reputations, read recent reviews (look for patterns of fake reviews or sudden surges in positive reviews), and be wary of apps with low download counts but many generic positive reviews.
Avoid Unofficial Sources: Only download apps from trusted sources like the official Google Play Store or Apple App Store. Avoid third-party websites, social media links, or prompts to install configuration profiles unless you are absolutely certain of the source’s legitimacy (e.g., your employer’s IT department).
Enable Security Features: Ensure Google Play Protect is enabled on Android devices and consider using reputable mobile security software capable of detecting trojans and spyware.
- Be Wary of Crypto/Gambling Apps: Exercise extra caution with apps in these categories, as they are frequently targeted by malware developers attempting to steal digital assets.
- www.bleepingcomputer.com
- securelist.com
- www.kaspersky.com
- www.techradar.com
- hackread.com
Google has confirmed the removal of the SOEX app and banned the associated developer, stating that Android users are automatically protected by Google Play Protect. Apple was also contacted regarding the 币coin app.
SparkKitty serves as a stark reminder that the digital landscape requires continuous alertness. Protecting your sensitive data starts with smart habits and careful consideration of the apps you install and the permissions you grant.
