On June 24, a cybersecurity company, Kaspersky, stated that a malware called SparkKitty has been active since at least early 2024 and may be related to a similar malware called SparkCat. The cybersecurity company noted in a report this Monday that SparkKitty specifically steals photos from infected devices with the aim of finding seed phrase screenshots of crypto wallets.
Kaspersky analysts Sergey Puzan and Dmitry Kalinin indicated that the malware targets both iOS and Android platforms, spreading through some applications on the Apple App Store and Google Play. Once a device is infected, the malware indiscriminately steals all images from the photo album. "Although we suspect the attackers' primary target is seed phrase screenshots of crypto wallets, the stolen images may also contain other sensitive data."
Kaspersky discovered two applications used to spread the malware, both related to cryptocurrency. One app called "币 coin", disguised as a crypto information tracker, was previously listed on the App Store. Another app named SOEX, a communication software with "cryptocurrency trading functions", was downloaded over 10,000 times on Google Play.
"The app was downloaded over ten thousand times after being uploaded to Google Play. We have notified Google, and the app has been removed from the store," Puzan and Kalinin stated. A Google spokesperson subsequently confirmed that the app has been removed and the developer's account has been banned.
"Regardless of whether users download through Google Play, Google Play Protect is enabled by default and can automatically prevent this app from running," Google said. Additionally, Kaspersky discovered that SparkKitty also spreads through some gambling apps, pornographic games, and malicious TikTok clones.
