Malware SparkKitty targets crypto wallets via infected apps
Advanced mobile malware named SparkKitty has infiltrated both the Apple App Store and Google Play, targeting users’ cryptocurrency wallets. This campaign, active since February 2024, mainly affects users in Southeast Asia and China, according to cyber security firm Kaspersky.
SparkKitty poses as legitimate applications such as TikTok mods, crypto wallet trackers, gambling games and adult content apps, and requests access to photo galleries under seemingly innocent pretexts. Infected apps, including Soex Wallet Tracker and Coin Wallet Pro, have bypassed security measures and accumulated thousands of downloads.
On iOS devices, the malware hides in custom frameworks such as AFNetworking, using Apple’s Enterprise provisioning system to install unsigned applications that bypass standard security controls. The corrupted framework retains its original functionality, but secretly contains photo-stealing capabilities that are activated when specific conditions are met. On Android platforms, malicious code is embedded directly into app access points, using cryptocurrency themes to attract victims.
SparkKitty’s most dangerous feature is its advanced optical character recognition (OCR) technology. Using Google ML Kit, it automatically identifies and extracts crypto-related information from photo galleries, without manual review. Unlike previous malware that relies on bulk theft and manual analysis, SparkKitty targets private keys and wallet addresses that are often screened by users for backup, a practice discouraged due to security risks.
The malware’s OCR implementation demonstrates sophisticated pattern recognition, filtering images based on text content and sending only those images containing crypto-related information to command and control servers. This targeted approach minimises data transfer while maximising the value of stolen information, allowing attackers to efficiently process larger groups of victims.
Further research revealed more sophisticated implementations. Some versions target backup procedures by displaying false security warnings and forcing users to reveal their seed phrases via social engineering. Accessibility Logger then captures this information directly rather than relying solely on existing screenshots.
Beyond individual theft, SparkKitty’s impact extends to systematic crypto mining. Related campaigns such as the Librarian Ghouls APT group combine credential theft with unauthorised Monero mining on compromised devices. These dual-purpose attacks generate ongoing revenue streams for cybercriminals, who steal existing crypto assets and use victims’ computing resources for additional digital asset mining, effectively turning compromised devices into profitable infrastructure.
Business AM
Subscribers 0
Fans 0
Followers 0
Followers