SparkKitty Malware Targets Crypto Users in Southeast Asia and China

SparkKitty, a new strain of mobile malware, has been identified as a significant threat to cryptocurrency users. This Trojan targets both Android and iOS smartphones, primarily in Southeast Asia and China, though the threat could potentially expand globally. The malware is embedded in various apps, including those related to cryptocurrency, gambling, and even modified versions of TikTok, distributed through both official app stores and scam websites.

First discovered by Kaspersky researchers, SparkKitty is linked to the earlier SparkCat campaign. Experts suggest that the hackers repackaged the virus and embedded it into new apps, making it more difficult to detect. The malware disguises itself as familiar frameworks, such as AFNetworking.framework and Alamofire.framework on iOS, or as Java/Kotlin-based Xposed modules on Android. This disguise allows it to bypass the screening processes of the App Store and Google Play, making its way onto users’ phones. Additionally, the malware spreads through third-party marketplaces and phishing sites offering modified TikTok mods, driving downloads through social links or Telegram channels.

Once installed, the compromised app requests permissions unusual for its function. Users are tricked into installing developer profiles or granting special rights, allowing the malware to bypass protections. After installation, the Trojan remains dormant until the user opens a specific screen, typically a support chat. Then, the malware prompts for permission to access the photo gallery. If access is granted, it uses optical character recognition (OCR) to scan images, searching for screenshots with text, specifically seed phrases. Identified screenshots and any harvested text are encrypted and exfiltrated to attacker-controlled command-and-control endpoints, often hosted on cloud services, enabling rapid redeployment of updated payloads if needed.

With seed phrases in hand, attackers import wallets and drain all funds within minutes. The campaign, active since at least early 2024, has already hit thousands of users before Kaspersky’s takedown requests led to the removal of the infected apps from official stores. Kaspersky researchers have identified several apps through which the SparkKitty Trojan has infected iOS and Android devices, primarily targeting cryptocurrency users. The full list is evolving as the investigation continues. Some of the identified apps include 币coin, Coin Wallet Pro, and Soex Wallet Tracker, as well as Trojanized TikTok clones, casino apps, adult-themed games, and gambling apps distributed via official and unofficial channels.

Online threats to crypto wallets are becoming increasingly sophisticated. SparkKitty is just the latest example of this long-term trend. Malware targeting seed phrases by exploiting mobile device permissions and biometric bypasses poses a serious risk and shouldn’t be underestimated. To keep crypto assets secure, it is essential to never store seed phrases digitally on connected devices, avoid taking photos or screenshots of the seed phrase, and never save it in cloud storage or note-taking apps synced online. Users should opt for physical storage methods, such as writing down the seed phrase on paper and keeping it in a secure, private location. Some users choose metal seed phrase storage devices designed to withstand physical damage, ensuring the backup remains intact even in adverse conditions.

Additionally, users should avoid granting unnecessary permissions to apps, especially those requesting access to the photo gallery or other sensitive data, particularly if they are crypto-related but come from unofficial sources. Using hardware wallets, which store private keys offline, can make them immune to malware like SparkKitty. Even if the phone or computer is compromised, crypto assets remain safe as long as the hardware wallet is used correctly. Regularly updating the mobile operating system and wallet apps is crucial, as security patches often fix vulnerabilities that malware exploits to bypass biometric checks or escalate privileges. Enabling multi-factor authentication (MFA) on wallet accounts and related services adds a valuable barrier against unauthorized access. Lastly, users should be skeptical of unknown apps and links, avoiding downloading crypto wallets or related apps from unofficial stores or links received via email, social media, or messaging apps. Following these best practices will help significantly reduce the risk of losing the seed phrase to bad actors.