- Kaspersky has discovered a new malware campaign called SparkKitty targeting iOS and Android users via fake crypto apps
- The Trojan has uploaded thousands of images from victims photo galleries, potentially exposing sensitive data like wallet seed phrases
- Malicious apps were available on both Apples App Store and Google Play before being reported and removed
Cybersecurity firm Kaspersky has sounded the alarm over a new Trojan named SparkKitty that recently slipped into both the Apple App Store and Google Play stores. Masquerading as harmless crypto apps, this malware quietly harvested photos from infected devices, especially screenshots that may contain wallet recovery phrases, passwords, or other private information. Although the known apps have since been removed, the firm warns that the broader campaign is still active.
Son of SparkCat
SparkKitty appears to be a retooled version of SparkCat , an earlier spyware strain first seen in 2023, although this new wave is more sophisticated and widespread, with malicious code embedded in apps like coin on iOS and SOEX on Android. The apps posed as crypto exchanges, trading tools, or even altered versions of popular platforms like TikTok, but once installed and granted access to a devices camera roll, they quietly uploaded user photos to remote servers, where attackers used OCR (optical character recognition) to scan for valuable information.
Malware analyst Sergey Puzan explained that in some cases, attackers even directed iPhone users to install custom provisioning profiles through fake websites, bypassing Apples normal defenses.
Dont Take Sensitive Screenshots
Kaspersky says it notified both Apple and Google as soon as SparkKitty was identified, leading to the infected apps being removed, but it warns that similar ones continue to circulate via third-party APK sites and shady web links. One of the Android apps, SOEX, had more than 10,000 downloads before Google pulled it, while the coin app on iOS passed itself off as a legitimate crypto tracker but was working behind the scenes to collect data. We suspect the attackers are looking for screenshots of seed phrases, Kaspersky said , but its likely other sensitive details are being harvested as well.
To stay safe, Kaspersky recommends avoiding screenshot storage of sensitive crypto info, reviewing app permissions, and using security tools that can detect when apps attempt to transmit personal data
