A new mobile crypto-stealing malware, SparkKitty, was discovered in applications available on Google Play and the Apple App Store, impacting both Android and iOS devices by exfiltrating user images.
SparkKitty represents a potential evolution of SparkCat, malware previously identified by Kaspersky in January. SparkCat specifically targeted cryptocurrency wallet recovery phrases by employing optical character recognition (OCR) technology to extract these phrases from images stored on infected devices. Cryptocurrency wallet recovery phrases, also known as seed phrases, are critical for accessing and restoring digital assets. During the setup of a crypto wallet, users are typically advised to record this phrase and store it securely offline.
The ability to access a seed phrase grants complete control over a user’s cryptocurrency holdings, rendering these phrases highly valuable to malicious actors. While the practice of screenshotting a seed phrase is generally discouraged due to security risks, some individuals capture these images for convenience. The report from Kaspersky indicates that SparkKitty operates with broader functionality, indiscriminately exfiltrating all images found within an infected device’s photo gallery.
Kaspersky researchers posit that a primary objective of this malware remains the acquisition of crypto wallet seed phrases, recognizing their inherent value to attackers. However, the comprehensive nature of image theft by SparkKitty introduces additional risks, as the stolen data could be exploited for other illicit purposes, including blackmail, particularly if the images contain sensitive personal content.
The SparkKitty campaign has demonstrated activity since at least February 2024, disseminating through both official application distribution platforms, namely Google Play and the Apple App Store, and various unofficial channels. Kaspersky identified specific malicious applications associated with this campaign: “币coin” on the Apple App Store and “SOEX” on Google Play. Both applications had been removed from their respective stores by the time of the report’s publication.
SOEX, specifically, functioned as a messaging application integrating cryptocurrency exchange functionalities and achieved over 10,000 downloads from the official Android app store. Beyond these official store listings, Kaspersky also detected modified versions of TikTok clones that incorporated counterfeit online cryptocurrency stores, in addition to gambling and casino applications infected with SparkKitty, all distributed through unofficial means.
The implementation of SparkKitty varies between iOS and Android platforms. On iOS devices, the malware is embedded within applications as deceptive frameworks, such as AFNetworking.framework and libswiftDarwin.dylib. In certain instances, it is delivered via enterprise provisioning profiles, which are typically used by organizations for internal app distribution. The malicious framework on iOS utilizes the Objective-C ‘+load’ method to ensure its code automatically executes upon the application’s launch.
A configuration verification process is initiated by reading specific keys from the application’s Info.plist file, with execution proceeding only if the retrieved values correspond to predefined strings. On Android devices, SparkKitty is integrated into Java/Kotlin-based applications. Some variants leverage malicious Xposed/LSPosed modules, which are frameworks designed to modify the behavior of Android applications and the operating system itself. On Android, the malware is activated either immediately upon app launch or in response to specific user interactions, such as navigating to a particular screen type within the application. Upon activation, the malware proceeds to retrieve and decrypt a remote configuration file. This decryption process employs AES-256 in ECB mode to obtain the command and control (C2) URLs, which are essential for communicating with the malware’s operators.
Microsoft’s long and patient hunt for the Lumma Stealer malware finally paid off big
The method for photo exfiltration also differs across operating systems. On iOS, the malware directly requests access to the device’s photo gallery. If this permission is granted by the user, SparkKitty then continuously monitors the gallery for any changes, subsequently exfiltrating new images as they are added or any previously unuploaded images. On Android, the malicious application prompts the user to grant storage permissions, which are necessary for accessing images.
If the user approves these permissions, the malware uploads images from the gallery, along with various device identifiers and metadata. Kaspersky’s analysis revealed that some versions of SparkKitty on Android incorporate Google ML Kit OCR, enabling them to detect and selectively upload only those images that contain text. This targeted approach suggests a continued focus on information like seed phrases, even within a broader image theft operation.
Google confirmed the removal of the SOEX app from Google Play and stated that the associated developer has been banned. Google also indicated that Android users are automatically protected from this application, regardless of its download source, by Google Play Protect, which is enabled by default on Android devices equipped with Google Play Services.
