SparkKitty Malware Steals Crypto Wallet Data from 5,000+ Users

Kaspersky has identified a new mobile malware campaign named SparkKitty, which has successfully infiltrated both Apple’s App Store and GoogleGOOG-- Play. This malware specifically targets screenshots of crypto wallet seed phrases stored in users’ photo galleries. The malware uses optical character recognition (OCR) technology to scan and exfiltrate images containing sensitive crypto wallet information from iOS and Android devices.

The campaign, which has been active since at least February 2024, primarily targets users in Southeast Asia and China. The malware disguises itself as various applications, including TikTok mods, crypto portfolio trackers, gambling games, and adult content applications. These apps request photo gallery access under seemingly legitimate pretenses, allowing the malware to bypass official app store security measures.

Two notable examples of infected apps include Soex Wallet Tracker, which masqueraded as a portfolio management app and was downloaded over 5,000 times from Google Play, and Coin Wallet Pro, which marketed itself as a secure multi-chain wallet. These apps were promoted through social media ads and Telegram channels, further deceiving users into downloading them.

On iOS devices, the malware disguises itself as modified versions of popular frameworks like AFNetworking or Alamofire. It exploits Apple’s Enterprise provisioning profile system, which allows organizations to distribute internal apps without App Store approval. This system provides cybercriminals with a pathway to install unsigned applications that can bypass Apple’s standard security screening processes. The corrupted AFNetworking framework, for example, maintains its original networking capabilities while secretly incorporating photo-stealing functionality.

On Android platforms, the malware employs equally sophisticated distribution methods, embedding malicious code directly into app entry points while using legitimate cryptocurrency themes to attract target victims. The malware’s OCR technology automatically identifies and extracts crypto-related information from victims’ photo galleries without requiring attackers to review them manually. It specifically searches for seed phrases, private keys, and wallet addresses that users commonly screenshot for backup purposes.

Unlike previous mobile malware that relied on bulk photo theft and manual analysis, SparkKitty employs Google ML Kit library integration to scan images for text patterns. The malware’s OCR implementation demonstrates advanced pattern recognition capabilities, automatically filtering images based on text content and sending only those containing crypto-related information to command-and-control servers. This targeted approach reduces data transmission requirements while maximizing the value of stolen information, allowing attackers to process larger victim pools more efficiently.

Related campaigns discovered during Kaspersky’s investigation revealed even more sophisticated implementations, including versions targeting backup procedures by displaying fake security warnings. These social engineering overlays guide victims through accessing their seed phrases, allowing the malware’s Accessibility Logger to capture the information directly rather than relying solely on existing screenshots.

The broader implications extend beyond individual theft to include systematic crypto mining operations. Compromised devices effectively become profit-generating infrastructure for extended periods, as evidenced by related campaigns like the Librarian Ghouls APT group. This group combines credential theft with unauthorized Monero mining on compromised devices, creating ongoing revenue streams for cybercriminals.