A newly discovered mobile malware named SparkKitty is targeting cryptocurrency users by stealing screenshots of wallet seed phrases saved in their phone galleries. Cybersecurity firm Kaspersky has flagged this sophisticated threat, which managed to infiltrate both the Google Play Store and Apple’s App Store, bypassing standard security systems.
The malware campaign appears to focus primarily on users in Southeast Asia and China, but its method of attack raises global concern for all crypto holders. The malware is cleverly hidden inside apps that appear legitimate but are secretly designed to extract sensitive information from users’ devices.
How SparkKitty Hides in Seemingly Safe Apps
SparkKitty is embedded in fake or modified applications that mimic popular or useful services. These include:
- Crypto portfolio trackers like Soex Wallet Tracker
- Multi-chain wallet apps like Coin Wallet Pro
- Modified versions of social media apps such as TikTok
- Gambling games and adult content platforms
These apps trick users into installing a developer profile, particularly on iOS, allowing them to run code outside of standard app sandbox protections. This developer profile acts as a backdoor for malware execution.
For example, Soex Wallet Tracker, posing as a real-time crypto portfolio app, was downloaded over 5,000 times before being removed from Google Play. Coin Wallet Pro briefly appeared on the Apple App Store and gained attention via Telegram channels and targeted social media ads before its takedown.
How the Malware Operates
Once the infected app is installed, SparkKitty lies dormant, waiting for specific user actions. Here’s a breakdown of how it functions:
- Monitors for when users open sensitive areas like wallet setup, customer support chats, or backup screens
- Prompts for access to the phone’s photo gallery
- If access is granted, it quietly scans saved images
- Utilises optical character recognition (OCR) to detect text in screenshots
- Extracts information such as seed phrases, wallet addresses, and private keys
- Sends this stolen data to the attacker’s server without alerting the user
This targeted attack is especially dangerous because many crypto users save seed phrases as screenshots, believing it to be a convenient method of backup.
Why It’s a Serious Threat to Crypto Users
In the crypto world, a seed phrase is essentially the master key to a user’s wallet. Anyone with access to it can take full control of the wallet and transfer funds without restriction. Unlike traditional accounts, there is no “forgot password” option once stolen, funds are unrecoverable.
SparkKitty’s method of using OCR to scan image galleries is particularly dangerous because it exploits a common behaviour: saving sensitive information as screenshots. It shows that attackers are now focusing more on social engineering and user habits rather than just technical flaws.
How to Protect Yourself
Kaspersky researchers advise crypto users to take the following safety precautions:
- Never save seed phrases or private keys as screenshots or photos
- Avoid installing apps from unknown developers, especially those related to crypto, gambling, or adult content
- Do not install developer profiles unless you completely trust the source
- Review app permissions carefully, especially those requesting access to your gallery or camera
- Use hardware wallets for storing significant amounts of cryptocurrency
- Keep your phone’s security software up to date and perform regular scans
Though the identified malicious apps have been removed from app stores, the malware campaign is believed to have been active since April 2024, with some versions possibly circulating even earlier. It’s likely that more variants will appear under different names and disguises.
The emergence of SparkKitty is a wake-up call for crypto users worldwide. It demonstrates how attackers are evolving their tactics by targeting personal behaviours, not just technological weaknesses. While platforms like Apple and Google continue to strengthen their defences, users must take responsibility for securing their crypto assets.
