SparkKitty, a sophisticated new malware, has infiltrated official app stores to steal your crypto wallet information directly from photos stored on your phone.
Key Takeaways
- SparkKitty malware has infected both Apple App Store and Google Play Store apps since February 2024, potentially compromising thousands of devices.
- The malware specifically targets cryptocurrency wallet recovery phrases by scanning photos using optical character recognition (OCR) technology.
- Infected apps like “币coin” (Apple) and “SOEX” (Google) requested photo gallery access to steal sensitive information.
- Users should never store wallet seed phrases as screenshots and should immediately review app permissions on their devices.
- Both Google and Apple have removed identified malicious apps, but users remain vulnerable to future sophisticated attacks.
Hidden Threat in Trusted App Stores
In a concerning development for mobile device users, cybersecurity researchers have identified a dangerous malware strain called SparkKitty that successfully penetrated both the Google Play Store and Apple App Store. The malware specifically targets cryptocurrency holders by scanning through their photo galleries to identify and steal wallet recovery phrases. Unlike typical malware that requires installation from unofficial sources, SparkKitty managed to bypass the security protocols of official app stores, putting millions of users at risk without their knowledge.
“A dangerous new malware strain targeting smartphone users has managed to sneak on to both the Google Play Store and the Apple App Store without being detected, experts have warned,” according to experts.
According to cybersecurity firm Kaspersky, which discovered the threat, SparkKitty appears to be an evolution of a previous malware called SparkCat. The malicious software has been operating since at least February 2024, with one infected Android app called SOEX downloaded more than 10,000 times before being removed. On Apple’s App Store, an app called “币coin” carried the malware until it was recently taken down. Both apps disguised themselves as legitimate cryptocurrency or messaging applications with crypto features to attract potential victims.
How SparkKitty Attacks Your Device
SparkKitty employs a deceptively simple yet effective strategy to compromise users’ digital assets. After installation, the malware immediately requests permission to access the device’s photo gallery on iOS or storage permissions on Android. Many users grant these permissions without a second thought, especially when the app seems to have a legitimate purpose. Once granted access, SparkKitty begins scanning all images on the device using optical character recognition (OCR) technology, specifically looking for text patterns that match cryptocurrency wallet recovery phrases.
“Kaspersky says the SparkKitty malware has been actively distributed across both the Google Play Store and Apple App Store since February 2024, and has also been distributed through unofficial means as well,” said Kaspersky.
The technical implementation varies slightly between operating systems. On iOS devices, SparkKitty uses the Objective-C ‘+load’ method to execute its malicious code, while on Android, it operates through Java/Kotlin applications. Some versions of the malware utilize Google ML Kit OCR technology to detect and upload images containing text. The malware continuously monitors the photo gallery, re-scanning whenever changes are detected to ensure no potential target is missed. This persistence makes SparkKitty particularly dangerous, as it can wait patiently for users to create new screenshots of sensitive information.
Protecting Your Digital Assets
In response to the discovery, Google has taken swift action against the identified threat. “The reported app has been removed from Google Play and the developer has been banned,” stated Google.
While both Google and Apple have removed the known malicious apps from their stores, the threat of similar attacks remains high. President Trump’s administration has consistently emphasized the importance of cybersecurity and protecting American consumers from foreign threats in our digital infrastructure. The SparkKitty incident highlights how even trusted platforms can be compromised by sophisticated actors. To protect yourself from this and similar threats, cryptocurrency holders should never store wallet recovery phrases as screenshots or photos on mobile devices. Instead, use offline storage methods such as physical paper records kept in secure locations.
“Identified by Kaspersky and reported by Bleeping Computer, SparkKitty malware gains access to photo galleries on iOS and Android, allowing it to exfiltrate images or data contained within them, possibly with the goal of stealing victims’ crypto assets as well as other compromising information,” said Kaspersky.
All mobile users should immediately review the permissions granted to apps on their devices, particularly focusing on applications that requested access to photos or storage. Be vigilant when installing new apps, even from official stores, by checking developer credibility, reading reviews, and questioning why an app might need extensive permissions. For storing sensitive information, consider using dedicated encrypted storage vaults provided by reputable password managers rather than keeping screenshots. The continued evolution of malware like SparkKitty demonstrates why constant vigilance is necessary to protect our digital lives and financial assets.
