SparkKitty malware has infiltrated official app stores, stealing users’ photos to access cryptocurrency wallets and sensitive information without detection.
Key Takeaways
- SparkKitty malware has compromised both Apple App Store and Google Play Store, targeting users’ photo galleries to steal cryptocurrency wallet recovery phrases
- The malware uses optical character recognition (OCR) technology to scan and extract text from screenshots containing sensitive information
- At least two apps—币coin on Apple’s App Store and SOEX on Google Play (downloaded over 10,000 times)—were confirmed to contain the malware before removal
- Users should delete sensitive screenshots, scrutinize app permissions, and store cryptocurrency recovery phrases offline to protect themselves
Dangerous Malware Bypasses Official App Store Protections
A sophisticated new malware strain called SparkKitty has been discovered targeting both iOS and Android users through seemingly legitimate applications that managed to pass security screenings on official app stores. The malware has been active since at least February 2024, compromising users’ devices by gaining access to their photo galleries and scanning for sensitive information, particularly cryptocurrency wallet recovery phrases. Both Google and Apple have since removed the infected apps, but not before thousands of users potentially had their data compromised.
“A dangerous new malware strain targeting smartphone users has managed to sneak on to both the Google Play Store and the Apple App Store without being detected,” according to experts.
According to cybersecurity researchers at Kaspersky, SparkKitty is believed to be an evolution of an earlier malware strain called SparkCat. The malware specifically targets crypto assets by using optical character recognition (OCR) technology to scan through users’ photos looking for text that resembles cryptocurrency wallet seed phrases. Once discovered, these phrases are sent to attackers, who can then drain victims’ cryptocurrency wallets. This sophisticated approach demonstrates how cybercriminals continue to develop increasingly deceptive methods to steal digital assets.
How SparkKitty Operates and Spreads
SparkKitty operates through seemingly legitimate applications that request access to users’ photo galleries on iOS or storage permissions on Android. One of the identified malicious apps, SOEX, appeared as a messaging app with cryptocurrency features and was downloaded over 10,000 times from Google Play before removal. On iOS, another app called 币coin was found to contain the malware. Both apps passed the security screening processes of their respective platforms, highlighting concerns about gaps in app store protections.
“Kaspersky says the SparkKitty malware has been actively distributed across both the Google Play Store and Apple App Store since February 2024, and has also been distributed through unofficial means as well,” stated Kaspersky
The technical implementation differs between platforms. On iOS, the malware uses the Objective-C ‘+load’ method for execution, while on Android, it’s embedded in Java/Kotlin applications. Some versions employ Google ML Kit OCR to detect and prioritize images containing text. Once installed, the app continuously scans for changes in the photo gallery, looking for new screenshots or images that might contain valuable information, making it particularly dangerous for cryptocurrency holders who may have photographed their recovery phrases.
Platform Responses and User Protection
Both Google and Apple have taken action to remove the identified malicious applications from their stores. Google has banned the developer responsible for the SOEX app and activated Google Play Protect to provide automatic protection for Android users. Apple has not provided detailed information about their response, but the 币coin app has been removed from the App Store. These reactive measures, while necessary, come after potential damage has already occurred to users.
“The reported app has been removed from Google Play and the developer has been banned,” according to Google.
Cybersecurity experts have raised questions about the effectiveness of both Google and Apple’s app review processes. The fact that these malicious apps passed inspection suggests that attackers have become increasingly sophisticated in concealing malicious code. This incident demonstrates how the mobile app ecosystem continues to face challenges in protecting users against evolving threats, particularly those targeting financial assets like cryptocurrency wallets.
How to Protect Yourself from SparkKitty and Similar Threats
To protect against SparkKitty and similar malware, users should immediately delete any screenshots containing sensitive information such as password recovery phrases, banking details, or cryptocurrency wallet seeds. Never store cryptocurrency recovery phrases as screenshots or photos on your device. Instead, use secure password managers or write them down and store them in a physical safe. Be extremely cautious about which apps you download, even from official stores, and carefully review requested permissions.
“Identified by Kaspersky and reported by Bleeping Computer, SparkKitty malware gains access to photo galleries on iOS and Android, allowing it to exfiltrate images or data contained within them, possibly with the goal of stealing victims’ crypto assets as well as other compromising information,” stated Kaspersky.
Before installing any app, verify its authenticity by researching the developer, reading reviews, and checking how long the app has been available. Be particularly suspicious of apps requesting access to your photos, storage, or other sensitive data without a clear legitimate reason. For cryptocurrency holders, consider using hardware wallets that store your assets offline, completely separated from your smartphone. These extra precautions are essential as cybercriminals continue developing increasingly sophisticated methods to bypass security systems.
