Crypto thieves have deployed a sophisticated malware called SparkKitty that steals your entire photo gallery to extract passwords and crypto wallet information, exploiting the common practice of storing sensitive data in screenshots.
Key Takeaways
- SparkKitty malware targets both iOS and Android devices, stealing photos to extract cryptocurrency wallet recovery phrases and passwords using optical character recognition technology.
- The malware has infiltrated official app stores, with infected apps like SOEX on Google Play (downloaded over 10,000 times) and 币coin on Apple’s App Store, both now removed.
- SparkKitty requests gallery access permissions and continuously scans for text in images, targeting screenshots of sensitive information like crypto wallet seed phrases.
- Users should never store sensitive information in screenshots, verify app developers before downloading, be suspicious of apps requesting photo access, and use offline or encrypted storage for passwords and recovery phrases.
Malware Penetrates Official App Stores
A dangerous new strain of mobile malware named SparkKitty has successfully infiltrated both Google Play Store and Apple App Store, putting millions of smartphone users at risk. The malware, identified by cybersecurity researchers as an evolution of the previously known SparkCat threat, specifically targets cryptocurrency owners but poses a significant risk to anyone storing sensitive information in their photo galleries. Cybersecurity firm Kaspersky reports that SparkKitty has been actively spreading since at least February 2024 through both official and unofficial distribution channels.
“A dangerous new malware strain targeting smartphone users has managed to sneak on to both the Google Play Store and the Apple App Store without being detected, experts have warned,” said experts.
The malicious applications identified include a Google Play messaging app called SOEX, which disguised itself as a legitimate communication tool with cryptocurrency features and was downloaded over 10,000 times before removal. On Apple’s App Store, an app called 币coin (meaning “coin” in Chinese) carried the malicious code. Both platforms have since removed the infected applications, with Google confirming they’ve banned the developer entirely. This infiltration of official app stores demonstrates how sophisticated these threat actors have become at bypassing security checks.
How SparkKitty Operates
SparkKitty employs a particularly insidious method of operation that takes advantage of users’ common habits. Once installed, the malware immediately requests permission to access the device’s photo gallery or storage. On iOS devices, it uses the Objective-C ‘+load’ method for execution, while Android versions utilize Java/Kotlin applications. After gaining the necessary permissions, SparkKitty begins scanning all images on the device, using optical character recognition (OCR) technology to identify text within photos.
“Kaspersky says the SparkKitty malware has been actively distributed across both the Google Play Store and Apple App Store since February 2024, and has also been distributed through unofficial means as well,” said Kaspersky.
The malware is particularly dangerous because it continuously monitors the photo gallery, rescanning whenever changes are detected. This allows it to capture new screenshots of sensitive information as they’re created. Some versions specifically use Google ML Kit OCR to detect and prioritize images containing text. The primary targets appear to be cryptocurrency wallet recovery phrases (also called seed phrases), which many users unfortunately screenshot during wallet setup. When these phrases are stolen, attackers can completely drain cryptocurrency wallets.
Protecting Your Sensitive Information
In response to this threat, users must take immediate protective measures. First, never store screenshots of passwords, PIN codes, recovery phrases, or other sensitive information on your mobile device. If you have such screenshots in your gallery, delete them immediately and clear them from your deleted items folder. For cryptocurrency holders, recovery phrases should be stored offline completely – written on paper and kept in a secure location, or stored in a hardware wallet device.
“Identified by Kaspersky and reported by Bleeping Computer, SparkKitty malware gains access to photo galleries on iOS and Android, allowing it to exfiltrate images or data contained within them, possibly with the goal of stealing victims’ crypto assets as well as other compromising information,” said Kaspersky.
When downloading apps, always scrutinize the developer’s reputation. Check for verified developer badges, read user reviews carefully, and be skeptical of new apps with few downloads. Be extremely cautious about granting photo gallery access – question why an app needs such permissions and deny access when unnecessary. For secure digital storage of sensitive information, use encrypted password managers or secure note applications that offer end-to-end encryption. Google has activated Play Protect for automatic protection, but users should remain vigilant as hackers continue evolving their tactics.
“The reported app has been removed from Google Play and the developer has been banned,” stated Google.
