New Malware SparkKitty Targets Crypto Users on Android and iOS
A new mobile malware, SparkKitty, has been discovered in apps on both Google Play and the Apple App Store, posing a threat to users of Android and iOS devices. Active since at least February 2024, this malware targets cryptocurrency holdings and has evolved from a previously identified threat, SparkCat. SparkKitty has spread through official and unofficial app distribution channels, with malicious apps like '币coin' on the Apple App Store and 'SOEX' on Google Play, both since removed. The malware exfiltrates images from infected devices, including those containing cryptocurrency wallet recovery phrases, known as seed phrases. This gives attackers complete control over a user's crypto holdings. SparkKitty's implementation varies between iOS and Android, using deceptive frameworks and modules to activate and steal data. Google Play Protect automatically protects Android users from the SOEX app, regardless of its download source. Unlike its predecessor, SparkCat, which used OCR to target seed phrases, SparkKitty operates more broadly, exfiltrating all images from a device's photo gallery. Stolen images could be exploited for other illicit purposes beyond crypto theft. The discovery of SparkKitty underscores the ongoing threat of mobile malware targeting cryptocurrency users. Both Android and iOS users are advised to be cautious when downloading apps, even from official stores. Regular security updates and careful app permissions management can help mitigate risks.
