A new malware called SparkKitty is causing concern, as it has been detected in apps on both Google Play and Apple's App Store. This malware targets Android and iOS devices, and its main objective appears to be stealing cryptocurrencies.
SparkKitty is believed to be a more advanced version of another malware called SparkCat, which was discovered by Kaspersky earlier this year. SparkCat used text recognition technology (OCR) to identify and steal recovery phrases (also known as seed phrases) that users stored as images on their phones.
For those who are not very familiar with the crypto world: when you install a digital wallet, the system asks you to write down a special recovery phrase. That phrase is like a master key that allows you to restore your wallet and access your funds from any other device. That's why it's so valuable... and so sought after by cybercriminals.
Although it is best never to save that phrase on your phone or take a screenshot of it, many people do so for convenience. And that's where this type of malware comes into play.
According to Kaspersky, SparkKitty steals all the photos from the infected device's gallery, without discrimination. If your seed phrase is among those images, you're in trouble. But the risk doesn't stop there: if your photos contain anything private or sensitive, they could also be used for other malicious purposes, such as blackmail or extortion.
SparkKitty has been around since at least February 2024. Not only has it snuck into the official Google Play and App Store stores, but it has also circulated on unofficial sites and other download platforms.
SparkKitty on the Apple App Store (Source: Kaspersky)
According to Kaspersky, the malicious apps that managed to slip through were 币coin on the Apple App Store and SOEX on Google Play. Fortunately, both have already been removed at the time of writing.
In the case of SOEX, it was a messaging app that also offered cryptocurrency exchange features. What is concerning is that it was downloaded more than 10,000 times from the official Android store before it was taken down.
Malware application on Google Play (Source: Kaspersky)
Read more: Malware Godfather Uses Virtualization to Steal Banking Data
Kaspersky also discovered fake versions of TikTok that came with suspicious cryptocurrency stores, gambling apps, adult content games, and virtual casinos. All of this was disguised as common apps, but in reality, they were infected with SparkKitty. The most worrying thing is that these modified versions were not in official stores, but were distributed through alternative and unreliable channels.
TikTok cloning app installed via an iOS profile (Source: Kaspersky)
In the case of iOS, SparkKitty camouflages itself within files that appear to be part of the system (such as AFNetworking.framework or libswiftDarwin.dylib), and is sometimes installed using fake enterprise profiles, allowing it to bypass Apple's security checks.
On Android, on the other hand, the malware hides in apps made in Java or Kotlin, and some of them use malicious modules known as Xposed or LSPosed to gain more control over the system.
SparkKitty is quite clever: on iOS, it uses a method in the Objective-C language that allows it to execute its code as soon as you open the app, without you noticing. Before fully activating, it checks the app's settings to make sure it is in the right environment.
On Android, it activates in a similar way: when you open the app or perform a specific action (such as entering a certain screen), the malware kicks in. The first thing it does is download an encrypted configuration file containing the addresses it needs to connect to in order to send your stolen data. This file is encrypted with AES-256 in ECB mode, a technique that makes it difficult to analyze.
And here comes the tricky part: on iOS, the malware asks for access to your photo gallery. On Android, it asks for permission to access your storage. If you give it permission (something many people do without thinking), SparkKitty starts scanning your photos and sending those that are new or that it hasn't stolen yet. Yes, it's that straightforward.
Image exfiltration code in the iOS variant
On Android devices, SparkKitty can access your photo gallery and upload images along with phone data, such as device identifiers and metadata. Some versions of the malware even use Google ML Kit with OCR, which allows them to analyze images and upload only those that contain text, such as screenshots with crypto wallet seed phrases.
This only confirms what many of us already suspected: even official stores like Google Play or the App Store are not 100% secure. Just because an app is there doesn't mean it's trustworthy. That's why you have to be careful when installing any application.
Here are some basic tips to avoid falling victim to this type of malware:
Check the app carefully before installing it. If it has few downloads but many positive reviews, or if the developer seems suspicious, it's best not to install it.
Pay attention to permissions. If an app asks for access to storage, camera, or gallery and it doesn't make sense for it to do so, that's a red flag.
If you use an iPhone, avoid installing configuration profiles or certificates that do not come from a trusted source.
On Android, make sure you have Google Play Protect enabled in your settings. It's also a good idea to run a scan from time to time to check that everything is working properly.
And if you handle cryptocurrencies, this point is extremely important: do not save screenshots of your seed phrase on your cell phone. That phrase is the key to accessing your wallet and your funds, so if someone else gets it, they can empty it in minutes.