New SparkKitty malware infiltrating official app stores to steal your crypto by scanning your personal photos has already infected over 10,000 devices.
Key Takeaways
- SparkKitty malware targets both iOS and Android devices through seemingly legitimate apps that have penetrated official app stores, with one malicious app being downloaded over 10,000 times.
- Once installed, the malware requests access to photo galleries and uses optical character recognition (OCR) to scan images for cryptocurrency wallet recovery phrases and other sensitive information.
- The malware has been active since February 2024, with infected apps including “币coin” on Apple’s App Store and “SOEX” on Google Play, both now removed after discovery.
- Users should never screenshot sensitive information, thoroughly verify app permissions, download only from trusted sources, and store cryptocurrency recovery phrases offline.
Sophisticated Malware Targets Your Digital Wallet
Smartphone users face a new and significant threat as security researchers have identified SparkKitty, a sophisticated malware that has successfully infiltrated both the Google Play Store and Apple App Store. This dangerous malware specifically targets cryptocurrency owners by scanning their photo galleries for wallet recovery phrases and other sensitive information. Unlike previous threats that required more obvious malicious activity, SparkKitty operates covertly after gaining legitimate permissions from unsuspecting users, making it particularly dangerous to those who store financial information on their devices.
“A dangerous new malware strain targeting smartphone users has managed to sneak on to both the Google Play Store and the Apple App Store without being detected, experts have warned,” according to experts.
The malware represents an evolution of an earlier threat called SparkCat, with enhanced capabilities for stealing sensitive data. Security experts at Kaspersky discovered that SparkKitty has been circulating since at least February 2024, primarily targeting cryptocurrency owners who commonly screenshot their wallet recovery phrases for safekeeping. Once the malware gains access to a device’s photo gallery, it scans all images using optical character recognition technology, looking specifically for text patterns that match crypto wallet recovery phrases, login credentials, and other valuable information.
How SparkKitty Infiltrates Your Device
SparkKitty has demonstrated remarkable versatility in its distribution methods, appearing in both official app stores and through unofficial channels. The malicious apps present themselves as legitimate services with cryptocurrency features or as popular app alternatives. One infected app called “SOEX” disguised itself as a messaging application with cryptocurrency features and was downloaded more than 10,000 times from Google Play before being removed. Another infected app identified as “币coin” was found on Apple’s App Store, showing that even Apple’s supposedly rigorous security screening failed to detect the threat.
“Kaspersky says the SparkKitty malware has been actively distributed across both the Google Play Store and Apple App Store since February 2024, and has also been distributed through unofficial means as well,” said Kaspersky.
The technical implementation of SparkKitty varies slightly between platforms. On iOS devices, the malware uses the Objective-C ‘+load’ method for execution, while on Android, it operates through Java/Kotlin applications. However, the fundamental approach remains the same: request access to photo galleries or storage permissions under the guise of legitimate functionality, then systematically scan and exfiltrate sensitive data. Some versions of the malware employ Google’s ML Kit OCR technology to detect and upload only images containing text, making their malicious activities more focused and potentially harder to detect.
Tech Giants Respond to the Threat
Following the discovery of SparkKitty, both Google and Apple have taken action to remove the identified malicious applications from their respective stores. Google has not only removed the SOEX app but also banned the developer responsible for creating it. Google Play Protect, the company’s built-in security feature, now actively screens for SparkKitty variants to provide automatic protection for Android users. However, the fact that these sophisticated threats managed to bypass initial security screenings raises serious questions about the effectiveness of app store vetting processes.
“The reported app has been removed from Google Play and the developer has been banned,” stated Google.
While Apple has removed the malicious 币coin app from its App Store, the company has been less forthcoming about additional security measures. BleepingComputer reported contacting Apple for comment regarding the app’s presence in their store, but no response had been provided at the time of reporting. This lack of transparency is concerning given Apple’s frequent claims about superior security on their platform, which clearly failed to prevent this sophisticated malware from reaching users through official channels.
Protecting Yourself from SparkKitty and Similar Threats
To protect yourself from SparkKitty and similar malware threats, security experts recommend several essential precautions. First and foremost, never store screenshots of sensitive information like cryptocurrency recovery phrases, passwords, or financial details on your mobile device. Instead, use offline storage methods such as physical paper kept in a secure location or dedicated hardware wallets for cryptocurrency. Be extremely cautious about granting apps access to your photos or storage, especially when the requested permissions seem unnecessary for the app’s stated function.
“Identified by Kaspersky and reported by Bleeping Computer, SparkKitty malware gains access to photo galleries on iOS and Android, allowing it to exfiltrate images or data contained within them, possibly with the goal of stealing victims’ crypto assets as well as other compromising information,” said Kaspersky.
When downloading apps, verify their authenticity by checking developer credentials, reading user reviews, and questioning why certain permissions are required. Even official app stores have proven vulnerable to sophisticated threats, so exercise caution with all downloads. For storing sensitive information securely, consider using encrypted password managers that offer secure note features or encrypted cloud storage vaults. Remember that malware developers continue to refine their tactics, making ongoing vigilance essential for protecting your digital assets and personal information in this increasingly hostile digital landscape.
