-
Kaspersky has uncovered SparkKitty, a new malware targeting iOS and Android devices to steal photos in search of crypto wallet seed phrases.
-
The malware is distributed through seemingly legitimate apps with crypto-related themes, as well as casino and adult games, primarily affecting users in Southeast Asia and China.
-
According to Kaspersky analysts Sergey Puzan and Dmitry Kalinin, SparkKitty shares origins with the earlier SparkCat malware but operates more aggressively by indiscriminately stealing all images from infected devices.
New SparkKitty malware targets crypto users by stealing photos for seed phrases, spreading via crypto-themed apps mainly in Southeast Asia and China, warns Kaspersky.
Emergence of SparkKitty Malware: A New Threat to Crypto Wallet Security
Kaspersky’s recent discovery of the SparkKitty malware signals an alarming development in the cybersecurity landscape targeting cryptocurrency holders. Unlike traditional malware that selectively targets sensitive data, SparkKitty indiscriminately steals all images from infected devices, increasing the risk of exposing critical information such as crypto wallet seed phrases. This aggressive approach underscores the evolving tactics cybercriminals employ to exploit the growing crypto ecosystem. The malware’s ability to infiltrate both iOS and Android platforms through apps available on official stores highlights significant vulnerabilities in app vetting processes.
Distribution Through Crypto-Themed and Malicious Apps
SparkKitty’s propagation leverages apps that appear legitimate and cater to cryptocurrency users. Notably, Kaspersky identified two primary apps delivering the malware: 币coin, a crypto information tracker on the Apple App Store, and SOEX, a messaging app with crypto exchange features on Google Play. The latter amassed over 10,000 installs before removal. These apps exploit the trust of crypto enthusiasts by embedding malicious code within familiar interfaces. Additionally, the malware’s presence in casino apps, adult-themed games, and fake TikTok clones demonstrates a broad distribution strategy designed to maximize infection rates across diverse user bases.
Connection Between SparkKitty and SparkCat Malware Families
Technical analysis reveals that SparkKitty is closely related to the previously identified SparkCat malware, both designed to extract crypto wallet recovery phrases from users’ photo galleries. Kaspersky’s experts, Sergey Puzan and Dmitry Kalinin, note that the shared file paths and similar functionalities suggest a common origin. However, SparkKitty’s indiscriminate photo theft marks a strategic shift, increasing the volume of stolen data and potential exposure of other sensitive information. Despite lacking advanced technical complexity, the persistence of this campaign since early 2024 emphasizes its effectiveness and the ongoing threat it poses to crypto users worldwide.
Geographical Focus and Potential Global Impact
The malware campaign primarily targets users in Southeast Asia and China, regions identified through the distribution channels and app content. The inclusion of Chinese gambling games and localized adult content indicates a tailored approach to regional user behavior. Nevertheless, Kaspersky warns that SparkKitty’s design imposes no technical restrictions limiting its spread, meaning users outside these regions remain vulnerable. This global risk necessitates heightened vigilance among crypto holders and app store regulators alike to prevent further proliferation.
Mitigation and User Protection Strategies
In light of SparkKitty’s emergence, users are advised to exercise caution when downloading apps, especially those claiming crypto functionalities. Verifying app legitimacy through official developer channels and monitoring permissions can reduce infection risk. Security experts recommend regular backups of seed phrases stored offline and employing hardware wallets to minimize exposure. Furthermore, app stores must enhance their screening processes to detect and remove malicious applications swiftly, safeguarding the broader crypto community.
Conclusion
SparkKitty represents a significant cybersecurity threat to cryptocurrency users by exploiting mobile platforms to harvest sensitive data indiscriminately. Its distribution through trusted-looking crypto apps and other popular categories highlights the need for increased awareness and robust security practices. While primarily targeting Southeast Asia and China, the malware’s potential for global impact calls for coordinated efforts between users, developers, and platform providers to mitigate risks. Staying informed and adopting stringent security measures remain critical in protecting digital assets from evolving malware threats.
