SparkKitty Malware Targets Crypto Users in Southeast Asia China

Kaspersky has identified a new strain of mobile malware specifically targeting cryptocurrency users by stealing screenshots of their wallet seed phrases. This malware, named SparkKitty, has been found in both Android and iOS apps, some of which managed to bypass the security measures of official app stores, including GoogleGOOG-- Play and Apple’s App Store.

The malware primarily targets users in Southeast Asia and China. It is believed to be a variant of SparkCat, another malware campaign discovered earlier this year. Like its predecessor, SparkKitty focuses on stealing photos that contain sensitive information, particularly seed phrases used for accessing cryptocurrency wallets.

The malware is disguised within seemingly legitimate apps, such as TikTok mods, crypto trackers, gambling games, and adult content apps. These apps trick users into installing a special developer profile, which allows the malware to operate outside the usual app review protections. Once installed, the malware waits for the user to open specific screens, such as support chats, and then requests access to the photo gallery. If granted, it uses optical character recognition to scan images and identify screenshots containing text, particularly seed phrases.

Many of the fake apps had strong crypto themes, and several included crypto-only stores, indicating that the collection of seed phrases was the primary goal. For instance, two apps flagged in the reports were Soex Wallet Tracker and Coin Wallet Pro. Soex, which posed as a portfolio manager with real-time tracking features, was downloaded over 5,000 times from Google Play before it was removed. Coin Wallet Pro, marketed as a secure multi-chain wallet, briefly appeared on the App Store and gained traction through social media ads and Telegram promotions before its removal.

Kaspersky has notified both AppleAAPL-- and Google about the affected apps, and they have since been removed from their respective stores. The researchers noted that the campaign had been active since at least April 2024, with some samples dating back even earlier. This discovery highlights the evolving tactics of cybercriminals in targeting cryptocurrency users and the need for enhanced security measures to protect sensitive information.