New SparkKitty malware hits over 5,000 crypto users via Apple and Google apps

A new form of mobile spyware is exploiting weaknesses in both Apple and Google’s app review systems to target crypto users across Southeast Asia and China. Dubbed SparkKitty, the malware focuses on stealing screenshots of wallet seed phrases stored in mobile phone galleries. Cybersecurity researchers from Kaspersky revealed that the spyware has been embedded within seemingly legitimate applications, including crypto portfolio trackers and modified versions of popular apps like TikTok. The malware campaign, which traces its lineage to an earlier variant known as SparkCat, has been active since at least April 2024. Some app samples date even further back. Once installed, SparkKitty uses deceptive permissions and optical character recognition (OCR) technology to identify and transmit images containing sensitive text such as seed phrases—an attack vector with serious implications for anyone storing their recovery phrases on their devices. Infected crypto apps bypassed store security Kaspersky’s analysis shows that SparkKitty successfully infiltrated the official Google Play Store and Apple’s App Store. The affected applications, including Soex Wallet Tracker and Coin Wallet Pro, disguised themselves as crypto tools offering real-time tracking, portfolio management, and multi-chain wallet services. In one instance, Soex Wallet Tracker was downloaded over 5,000 times before being delisted. Coin Wallet Pro, which positioned itself as a secure digital wallet, reportedly gained traction through social media advertisements and Telegram channels. These channels encouraged users to download the app and install additional developer profiles—bypassing normal app review mechanisms. This extra step allowed the malware to operate outside of standard sandbox protections that typically restrict access to photo galleries and system data. By prompting users during specific activities such as support chats, SparkKitty could gain access to photo storage. Once granted, it used OCR to extract any seed phrases visible in screenshots. These phrases are crucial for crypto wallet access and recovery, and losing control over them can lead to complete loss of funds. SparkKitty malware aims at visual data theft Unlike traditional malware that seeks direct access to wallet apps or private keys, SparkKitty’s focus on image galleries indicates a shift toward exploiting visual data storage habits among users. Many individuals, especially newer crypto users, save screenshots of their wallet seed phrases for convenience. This practice, while discouraged by most wallet providers, remains common. SparkKitty capitalises on this behaviour by scanning thousands of images in the background, looking for strings of words that match common seed phrase formats. Once identified, these are sent back to remote servers controlled by the attackers. The malware’s visual recognition model appears optimised for seed phrase lengths and formats used by popular wallets such as MetaMask, Trust Wallet, and Phantom. Kaspersky stated that while the bulk of infections appear concentrated in Southeast Asia and China, the method of app distribution—via social media and app stores—makes it highly scalable. Similar attacks could easily be redirected at other regions or user bases with minimal modifications to the codebase. Apple and Google take down apps, review system under scrutiny Following Kaspersky’s alert, Apple and Google removed the flagged apps from their platforms. However, questions remain over how these apps managed to pass initial reviews. The use of developer profiles to bypass app sandboxing suggests a vulnerability in mobile OS permission structures, particularly in cases where users are convinced to grant broad access. Kaspersky warned that the campaign may still be active in less regulated app marketplaces or via direct APK downloads. Security teams have been monitoring for similar behavioural patterns across newer apps, especially those associated with crypto-only features or decentralised finance (DeFi) tools. As a precaution, users are being urged not to save seed phrases in their photo galleries and to avoid installing unknown profiles or giving gallery access to non-trusted apps. Several crypto influencers and security accounts on Twitter and Telegram have also circulated warnings about the incident. Kaspersky’s team continues to track SparkKitty’s network infrastructure and has shared indicators of compromise with relevant cyber authorities. The post New SparkKitty malware hits over 5,000 crypto users via Apple and Google apps appeared first on Invezz

Source: Invezz