New SparkKitty malware steals your cryptocurrency by scanning screenshots on your phone, compromising both Android and iOS devices through seemingly legitimate apps that infiltrated official app stores.
Key Takeaways
- SparkKitty malware targets both Android and iOS devices through official app stores, stealing photos to extract cryptocurrency wallet recovery phrases
- The malware uses optical character recognition (OCR) technology to scan screenshots for sensitive information like crypto wallet seed phrases
- Infected apps like 币coin (Apple App Store) and SOEX (Google Play) have been removed, but the threat continues through unofficial distribution channels
- Users should never store cryptocurrency recovery phrases or sensitive information as screenshots and should be extremely cautious about granting photo access permissions
How SparkKitty Infiltrates Your Device
Security researchers have identified a sophisticated new malware strain targeting smartphone users across both major mobile platforms. SparkKitty, believed to be an evolution of the earlier SparkCat malware, has successfully penetrated both the Google Play Store and Apple App Store, putting millions of users at risk. The malware disguises itself within seemingly legitimate applications that request access to your device’s photo gallery during installation. Once granted, it scans your images for sensitive information, particularly focusing on cryptocurrency wallet recovery phrases.
“A dangerous new malware strain targeting smartphone users has managed to sneak on to both the Google Play Store and the Apple App Store without being detected, experts have warned,” according to experts.
The malicious apps identified include one named 币coin on the Apple App Store and SOEX on Google Play, with the latter being downloaded over 10,000 times before its removal. SOEX presented itself as a messaging application with cryptocurrency features, perfectly disguising its true intent. On iOS devices, SparkKitty uses the Objective-C ‘+load’ method for execution, while on Android, it operates through Java/Kotlin applications. The comprehensive cross-platform approach demonstrates the sophisticated nature of this threat and the determination of its creators.
How SparkKitty Steals Your Data
What makes SparkKitty particularly dangerous is its sophisticated use of optical character recognition (OCR) technology. After gaining access to your photo gallery, the malware scans all images for text, specifically looking for patterns that match cryptocurrency wallet recovery phrases. Many crypto users make the critical mistake of taking screenshots of their recovery phrases for “safekeeping,” creating a perfect opportunity for this type of attack. The malware continuously monitors for new images, re-scanning when changes are detected.
“Kaspersky says the SparkKitty malware has been actively distributed across both the Google Play Store and Apple App Store since February 2024, and has also been distributed through unofficial means as well,” said Kaspersky.
Some versions of SparkKitty employ Google ML Kit OCR to detect and upload images containing text to the attackers’ servers. While the primary target appears to be cryptocurrency theft, the indiscriminate nature of the image collection raises serious concerns about other potential privacy violations. Security experts note that while there is no current evidence of extortion using personal photos, the capability certainly exists. This indiscriminate data collection approach represents a significant evolution in mobile malware tactics.
Platform Responses and Protection Measures
Both Google and Apple have taken action to remove the identified malicious applications from their respective app stores. Google has confirmed that the malicious app has been removed and the developer banned from their platform. Google Play Protect is now programmed to identify and block this threat, providing some automated protection for Android users. Apple has not publicly commented on the situation, though the malicious apps have been removed from their store as well.
“The reported app has been removed from Google Play and the developer has been banned,” stated Google.
To protect yourself from SparkKitty and similar threats, security experts recommend several critical steps. First, never store cryptocurrency recovery phrases or other sensitive information as screenshots on your device. Instead, use secure password managers or physical paper storage kept in a safe location. Second, carefully scrutinize all app permission requests, particularly those seeking access to photos or storage. Third, verify app authenticity by checking developer reputation and reading reviews before downloading. These common-sense measures significantly reduce your risk of compromise.
The Broader Threat Landscape
SparkKitty represents a concerning trend in malware development, where attackers are finding increasingly sophisticated ways to bypass security measures on official app stores. The malware’s ability to target both major mobile platforms simultaneously demonstrates the growing sophistication of mobile threats. Users must understand that even applications downloaded from official sources can potentially contain malicious code, especially when requesting extensive permissions that don’t align with their stated purpose.
“Identified by Kaspersky and reported by Bleeping Computer, SparkKitty malware gains access to photo galleries on iOS and Android, allowing it to exfiltrate images or data contained within them, possibly with the goal of stealing victims’ crypto assets as well as other compromising information,” said Kaspersky.
The targeting of cryptocurrency assets reflects the criminals’ focus on financial gain with minimal effort. As digital currency adoption continues to grow among conservative investors seeking alternatives to traditional banking systems, protecting these assets becomes increasingly important. President Trump’s supporters, many of whom have embraced cryptocurrency as a hedge against inflation and government overreach, should be particularly vigilant about these types of threats that can quickly drain digital wallets without recourse or recovery options.
