SparkKitty

SparkKitty is a newly discovered mobile Trojan targeting both Android and iOS devices, with a primary focus on stealing cryptocurrency assets by exfiltrating sensitive images and device information from infected smartphones.

Key Characteristics of SparkKitty

• Platforms Targeted: Both iOS and Android.
• Distribution Channels: Official app stores (Apple App Store and Google Play), as well as third-party and scam websites.
• App Types Infected: Crypto-related apps, gambling apps, and trojanized versions of popular apps like TikTok.

How SparkKitty Works

• Image Theft: SparkKitty indiscriminately uploads all images from an infected device’s photo gallery to attacker-controlled servers.
• Device Information: It also sends detailed device information to the attackers.
• Targeted Data: The primary goal is to steal cryptocurrency wallet recovery phrases (seed phrases), which are often stored as screenshots or photos for convenience. These phrases can be used to restore and drain crypto wallets.
• OCR Technology: SparkKitty, like its predecessor SparkCat, leverages optical character recognition (OCR) to scan images for sensitive text, such as wallet recovery phrases, passwords, and potentially other confidential information.
• Potential for Broader Abuse: While the main focus is crypto theft, any sensitive content in the photo gallery—such as personal images or documents—could be used for extortion or other malicious purposes.

Infection and Spread

• App Store Infiltration: On iOS, SparkKitty was found in an app named 币coin, which posed as a cryptocurrency tracker. On Android, it was embedded in SOEX, a messaging app with crypto-exchange features, and in various modded TikTok clones, gambling, and adult-themed apps.

Technical Details

• On iOS, SparkKitty is embedded as fake frameworks and may use enterprise provisioning profiles to bypass App Store restrictions.
• On Android, it is hidden within Java/Kotlin apps and sometimes uses malicious modules like Xposed/LSPosed.
• The malware uses obfuscation and encrypted configuration files to evade detection and control its operations.
• Scale: The campaign has been active since at least February 2024, with Kaspersky reporting over 242,000 downloads of infected apps from Google Play alone.

Relation to SparkCat

SparkKitty appears to be an evolution of the earlier SparkCat malware, which was the first known OCR-based stealer to infiltrate the Apple App Store. SparkCat also targeted crypto wallet recovery phrases via image scanning and was distributed through both legitimate-looking and fake apps.

Geographic Focus

• Main Targets: Residents of Southeast Asia and China, but evidence suggests a broader reach across Europe, Asia, Africa, and the Middle East.
• Language Adaptation: The malware adapts its OCR models based on device language settings to maximize its effectiveness across different regions.

Mitigation and Response

• Removal: All identified malicious apps have been removed from the official app stores, and Apple and Google have been notified.
• Recommendations: Users are advised not to store sensitive information, such as crypto wallet recovery phrases, as images or screenshots on their devices. Use password managers and regularly audit app permissions.