Malware on Google Play, Apple App Store stole your photos—and crypto

A new mobile crypto-stealing malware called SparkKitty was found in apps on Google Play and the Apple App Store, targeting Android and iOS devices.

The malware is a possible evolution of SparkCat, which Kaspersky discovered in January. SparkCat used optical character recognition (OCR) to steal cryptocurrency wallet recovery phrases from images saved on infected devices.

When installing crypto wallets, the installation process tells users to write down the wallet's recovery phrase and store it in a secure, offline location.

Access to this seed phrase can be used to restore a crypto wallet and its stored assets on another device, making them a valuable target for threat actors.

While taking a screenshot of your seed phrase is never a good idea, some people do so for convenience.

A report by Kaspersky says that the new SparkKitty malware indiscriminately steals all images from an infected device's photo gallery.

While Kaspersky believes that the malware is targeting crypto wallet seed phrases, the stolen data could also be used for other malicious purposes, like extortion, if the images contain sensitive content.

The SparkKitty malware

The SparkKitty campaign has been active since at least February 2024, spreading through both official Google and Apple app stores and unofficial platforms.

The malicious apps Kaspersky identified are 币coin on the Apple App Store and SOEX on Google Play, both having been removed by the time of this writing.

SOEX is a messaging app with cryptocurrency exchange features, downloaded over 10,000 times via Android's official app store.

Kaspersky also discovered modded TikTok clones embedding fake online cryptocurrency stores, gambling apps, adult-themed games, and casino apps containing SparkKitty, distributed via unofficial channels.

On iOS, SparkKitty is embedded as fake frameworks (AFNetworking.framework, libswiftDarwin.dylib) and sometimes delivered via enterprise provisioning profiles.

On Android, the malware is embedded in Java/Kotlin apps, some of which use malicious Xposed/LSPosed modules.

The malicious framework uses the Objective-C '+load' method to automatically execute its code when the app starts on iOS. A configuration check is performed by reading keys from the app's Info.plist; execution proceeds only if values match expected strings.

On Android, the malware is triggered on app launch or at specific user-driven actions like opening a specified screen type. Upon activation, it retrieves and decrypts a remote configuration file using AES-256 (ECB mode) to get C2 URLs.

On iOS, the malware requests access to the photo gallery, while on Android, the malicious app requests the user to grant storage permissions to access images.

If permission is granted on iOS, the malware monitors the gallery for changes and exfiltrates any new or previously unuploaded images.

On Android, the malware uploads images from the gallery, along with device identifiers and metadata. Kaspersky found some SparkKitty versions that use Google ML Kit OCR to detect and only upload images containing text.

SparkKitty is another example of malware slipping into official app stores, highlighting once more that users shouldn't blindly trust software on vetted distribution channels.

All apps should be scrutinized for signs of fraud, such as fake reviews, publishers with doubtful backgrounds or histories, low downloads combined with a high number of positive reviews, etc.

During installation, requests for storage of gallery access should be treated with suspicion and denied if they're not related to the app's core functionality.

On iOS, avoid installing configuration profiles or certificates unless they come from a trusted source. On Android, enable Google Play Protect in settings and perform regular full-device scans.

Ultimately, cryptocurrency holders should not keep images of their wallet seed phrases on their mobile devices, as these are now actively targeted by malware. Instead, store them offline in a secure location.

BleepingComputer has contacted both Apple and Google to ask for a comment on how these apps slipped through the cracks and into their app stores.

"The reported app has been removed from Google Play and the developer has been banned," Google told BleepingComputer.

"Android users are automatically protected against this app regardless of download source by Google Play Protect, which is on by default on Android devices with Google Play Services."

BleepingComputer also contacted Apple about the apps and will update the story if we receive a response.