A new mobile crypto-stealing malware, SparkKitty, was discovered in applications available on Google Play and the Apple App Store, impacting both Android and iOS devices by exfiltrating user images.
SparkKitty represents a potential evolution of SparkCat, malware previously identified by Kaspersky in January. SparkCat specifically targeted cryptocurrency wallet recovery phrases by employing optical character recognition (OCR) technology to extract these phrases from images stored on infected devices. Cryptocurrency wallet recovery phrases, also known as seed phrases, are critical for accessing and restoring digital assets. During the setup of a crypto wallet, users are typically advised to record this phrase and store it securely offline.
The ability to access a seed phrase grants complete control over a user’s cryptocurrency holdings, rendering these phrases highly valuable to malicious actors. While the practice of screenshotting a seed phrase is generally discouraged due to security risks, some individuals capture these images for convenience. The report from Kaspersky indicates that SparkKitty operates with broader functionality, indiscriminately exfiltrating all images found within an infected device’s photo gallery.
Kaspersky researchers posit that a primary objective of this malware remains the acquisition of crypto wallet seed phrases, recognizing their inherent value to attackers. However, the comprehensive nature of image theft by SparkKitty introduces additional risks, as the stolen data could be exploited for other illicit purposes, including blackmail, particularly if the images contain sensitive personal content.
The SparkKitty campaign has demonstrated activity since at least February 2024, disseminating through both official application distribution platforms, namely Google Play and the Apple App Store, and various unofficial channels. Kaspersky identified specific malicious applications associated with this campaign: “币coin” on the Apple App Store and “SOEX” on Google Play. Both applications had been removed from their respective stores by the time of the report’s publication.
SOEX, specifically, functioned as a messaging application integrating cryptocurrency exchange functionalities and achieved over 10,000 downloads from the official Android app store. Beyond these official store listings, Kaspersky also detected modified versions of TikTok clones that incorporated counterfeit online cryptocurrency stores, in addition to gambling and casino applications infected with SparkKitty, all distributed through unofficial means.
The implementation of SparkKitty varies between iOS and Android platforms. On iOS devices, the malware is embedded within applications as deceptive frameworks, such as AFNetworking.framework and libswiftDarwin.dylib. In certain instances, it is delivered via enterprise provisioning profiles, which are typically used by organizations for internal app distribution. The malicious framework on iOS utilizes the Objective-C ‘+load’ method to ensure its code automatically executes upon the application’s launch.
A configuration verification process is initiated by reading specific keys from the application’s Info.plist file, with execution proceeding only if the retrieved values correspond to predefined strings. On Android devices, SparkKitty is integrated into Java/Kotlin-based applications. Some variants leverage malicious Xposed/LSPosed modules, which are frameworks designed to modify the behavior of Android applications and the operating system itself. On Android, the malware is activated either immediately upon app launch or in response to specific user interactions, such as navigating to a particular screen type within the application. Upon activation, the malware proceeds to retrieve and decrypt a remote configuration file. This decryption process employs AES-256 in ECB mode to obtain the command and control (C2) URLs, which are essential for communicating with the malware’s operators.
Microsoft’s long and patient hunt for the Lumma Stealer malware finally paid off big
The method for photo exfiltration also differs across operating systems. On iOS, the malware directly requests access to the device’s photo gallery. If this permission is granted by the user, SparkKitty then continuously monitors the gallery for any changes, subsequently exfiltrating new images as they are added or any previously unuploaded images. On Android, the malicious application prompts the user to grant storage permissions, which are necessary for accessing images.
If the user approves these permissions, the malware uploads images from the gallery, along with various device identifiers and metadata. Kaspersky’s analysis revealed that some versions of SparkKitty on Android incorporate Google ML Kit OCR, enabling them to detect and selectively upload only those images that contain text. This targeted approach suggests a continued focus on information like seed phrases, even within a broader image theft operation.
Google confirmed the removal of the SOEX app from Google Play and stated that the associated developer has been banned. Google also indicated that Android users are automatically protected from this application, regardless of its download source, by Google Play Protect, which is enabled by default on Android devices equipped with Google Play Services.
Featured image credit
FAQs
Frequently Asked Questions
What is a Premium Domain Name? A premium domain name is the digital equivalent of prime real estate. It’s a short, catchy, and highly desirable web address that can significantly boost your brand's impact. These exclusive domains are already owned but available for purchase, offering you a shortcut to a powerful online presence. Why Choose a Premium Domain? Instant Brand Boost: Premium domains are like instant credibility boosters. They command attention, inspire trust, and make your business look established from day one. Memorable and Magnetic: Short, sweet, and unforgettable - these domains stick in people's minds. This means more visitors, better recall, and ultimately, more business. Outshine the Competition: In a crowded digital world, a premium domain is your secret weapon. Stand out, get noticed, and leave a lasting impression. Smart Investment: Premium domains often appreciate in value, just like a well-chosen piece of property. Own a piece of the digital world that could pay dividends. What Sets Premium Domains Apart? Unlike ordinary domain names, premium domains are carefully crafted to be exceptional. They are shorter, more memorable, and often include valuable keywords. Plus, they often come with a built-in advantage: established online presence and search engine visibility. How Much Does a Premium Domain Cost? The price tag for a premium domain depends on its desirability. While they cost more than standard domains, the investment can be game-changing. Think of it as an upfront cost for a long-term return. BrandBucket offers transparent pricing, so you know exactly what you're getting. Premium Domains: Worth the Investment? Absolutely! A premium domain is more than just a website address; it's a strategic asset. By choosing the right premium domain, you're investing in your brand's future and setting yourself up for long-term success. What Are the Costs Associated with a Premium Domain? While the initial purchase price of a premium domain is typically higher than a standard domain, the annual renewal fees are usually the same. Additionally, you may incur transfer fees if you decide to sell or move the domain to a different registrar. Can I Negotiate the Price of a Premium Domain?
In some cases, it may be possible to negotiate the price of a premium domain. However, the success of negotiations depends on factors such as the domain's demand, the seller's willingness to negotiate, and the overall market conditions. At BrandBucket, we offer transparent, upfront pricing, but if you see a name that you like and wish to discuss price, please reach out to our sales team.
How Do I Transfer a Premium Domain?
Transferring a premium domain involves a few steps, including unlocking the domain, obtaining an authorization code from the current registrar, and initiating the transfer with the new registrar. Many domain name marketplaces, including BrandBucket, offer assistance with the transfer process.
