A stealthy malware campaign has quietly spread through both the Apple App Store and Google Play, hijacking phones and pulling private data, particularly targeting those who store cryptocurrency wallet backups in their photo galleries.
The malware, named SparkKitty, builds on an earlier variant known as SparkCat, which surfaced in January. That earlier strain used optical character recognition to extract crypto wallet recovery phrases from screenshots. SparkKitty takes the same approach but casts a wider net, snatching entire photo libraries from infected devices and scanning them remotely for text.
These seed phrases are crucial to restoring a crypto wallet on a new device. Once exposed, they allow attackers to take full control of a user’s digital assets. Despite repeated warnings not to save such information digitally, some people still capture screenshots during the wallet setup process.
SparkKitty has been active since at least February 2024. It has turned up not only in unofficial app stores but also inside apps that managed to slip through Apple and Google’s review systems. One of the malicious iOS apps, 币coin, posed as a legitimate financial tool. Another, SOEX, offered messaging and crypto exchange features on Android, reaching more than 10,000 downloads before its removal.
Beyond these, researchers at Kaspersky also found counterfeit versions of TikTok, adult games, and crypto-themed apps seeded with the malware, often distributed via shady third-party websites. On iPhones, the attackers packaged SparkKitty inside fake frameworks with names like AFNetworking and libswiftDarwin, delivered using enterprise provisioning profiles, an approach that lets them bypass App Store security.
Android versions were embedded in Java or Kotlin-based apps. In several cases, the malware used Xposed or LSPosed modules, exploiting low-level system hooks to hide its behavior. After installation, the malicious code either activates immediately on launch or waits for specific user actions, such as navigating to a particular screen. Once triggered, it connects to a command server and downloads a Base64-encoded configuration file, which includes URLs for data exfiltration.
On iOS, the malware checks for certain keys inside the app’s Info.plist file to confirm the environment, then requests access to the photo gallery. If the user grants permission, SparkKitty monitors the library for new images and quietly uploads them in the background. On Android, it requests storage access and extracts not only photos but also device identifiers and metadata.
Some versions go even further. They integrate Google’s ML Kit to detect images containing visible text, filtering out irrelevant media and focusing only on screenshots or documents that might hold wallet credentials or other sensitive data.
While Kaspersky hasn’t confirmed who is behind SparkKitty, early clues suggest the campaign is centered around users in China and Southeast Asia. The malware appears to be updated regularly, indicating ongoing development.
Kaspersky’s analysts, Dmitry Kalinin and Sergey Puzan, say the campaign’s scale and sophistication raise questions about how the infected apps slipped past platform security checks. Though both Apple and Google have removed the known malware from their stores, the broader concern remains: official platforms can’t always be trusted to catch every threat.
This incident underscores why users must stay cautious, even with apps downloaded from approved sources. Look out for inconsistencies, such as suspicious permissions, low download counts with overly positive reviews, or unfamiliar publisher names. On iOS, avoid installing configuration profiles or enterprise certificates unless they come from a known source. Android users should keep Google Play Protect enabled and regularly scan their devices.
For cryptocurrency holders, the lesson is clear. Storing recovery phrases as digital images leaves them exposed to exactly this kind of attack. Keeping that information offline, ideally handwritten and locked away, remains the safest option.
Image: DIW-Aigen
Read next: ChatGPT Isn’t Trying to Beat Google Anymore. It’s Grown Into Something Else Entirely
The malware, named SparkKitty, builds on an earlier variant known as SparkCat, which surfaced in January. That earlier strain used optical character recognition to extract crypto wallet recovery phrases from screenshots. SparkKitty takes the same approach but casts a wider net, snatching entire photo libraries from infected devices and scanning them remotely for text.
These seed phrases are crucial to restoring a crypto wallet on a new device. Once exposed, they allow attackers to take full control of a user’s digital assets. Despite repeated warnings not to save such information digitally, some people still capture screenshots during the wallet setup process.
SparkKitty has been active since at least February 2024. It has turned up not only in unofficial app stores but also inside apps that managed to slip through Apple and Google’s review systems. One of the malicious iOS apps, 币coin, posed as a legitimate financial tool. Another, SOEX, offered messaging and crypto exchange features on Android, reaching more than 10,000 downloads before its removal.
Beyond these, researchers at Kaspersky also found counterfeit versions of TikTok, adult games, and crypto-themed apps seeded with the malware, often distributed via shady third-party websites. On iPhones, the attackers packaged SparkKitty inside fake frameworks with names like AFNetworking and libswiftDarwin, delivered using enterprise provisioning profiles, an approach that lets them bypass App Store security.
Android versions were embedded in Java or Kotlin-based apps. In several cases, the malware used Xposed or LSPosed modules, exploiting low-level system hooks to hide its behavior. After installation, the malicious code either activates immediately on launch or waits for specific user actions, such as navigating to a particular screen. Once triggered, it connects to a command server and downloads a Base64-encoded configuration file, which includes URLs for data exfiltration.
On iOS, the malware checks for certain keys inside the app’s Info.plist file to confirm the environment, then requests access to the photo gallery. If the user grants permission, SparkKitty monitors the library for new images and quietly uploads them in the background. On Android, it requests storage access and extracts not only photos but also device identifiers and metadata.
Some versions go even further. They integrate Google’s ML Kit to detect images containing visible text, filtering out irrelevant media and focusing only on screenshots or documents that might hold wallet credentials or other sensitive data.
While Kaspersky hasn’t confirmed who is behind SparkKitty, early clues suggest the campaign is centered around users in China and Southeast Asia. The malware appears to be updated regularly, indicating ongoing development.
Kaspersky’s analysts, Dmitry Kalinin and Sergey Puzan, say the campaign’s scale and sophistication raise questions about how the infected apps slipped past platform security checks. Though both Apple and Google have removed the known malware from their stores, the broader concern remains: official platforms can’t always be trusted to catch every threat.
This incident underscores why users must stay cautious, even with apps downloaded from approved sources. Look out for inconsistencies, such as suspicious permissions, low download counts with overly positive reviews, or unfamiliar publisher names. On iOS, avoid installing configuration profiles or enterprise certificates unless they come from a known source. Android users should keep Google Play Protect enabled and regularly scan their devices.
For cryptocurrency holders, the lesson is clear. Storing recovery phrases as digital images leaves them exposed to exactly this kind of attack. Keeping that information offline, ideally handwritten and locked away, remains the safest option.
Image: DIW-Aigen
Read next: ChatGPT Isn’t Trying to Beat Google Anymore. It’s Grown Into Something Else Entirely
