Crypto Journalist
Anas Hassan
Crypto Journalist
Anas Hassan
Share
Kaspersky researchers have discovered a sophisticated new mobile malware campaign called “SparkKitty” that successfully infiltrated both Apple’s App Store and Google Play, specifically targeting screenshots of crypto wallet seed phrase stored in users’ photo galleries.
The malware, which evolves from a previously identified SparkCat campaign, uses optical character recognition (OCR) technology to scan and exfiltrate images containing sensitive crypto wallet information from iOS and Android devices.
The campaign, which has been active since at least February 2024, has primarily targeted users in Southeast Asia and China through infected apps disguised as TikTok mods, crypto portfolio trackers, gambling games, and adult content applications that request photo gallery access under seemingly legitimate pretenses.
These cybercriminals successfully bypassed official app store security measures to deploy infected applications that appeared legitimate to automated screening and human reviewers.
Two prominent examples include Soex Wallet Tracker, which masqueraded as a portfolio management app and was downloaded over 5,000 times from Google Play, and Coin Wallet Pro, which marketed itself as a secure multi-chain wallet before being promoted through social media ads and Telegram channels.
How SparkKitty’s Seed Phrase Stealer Evaded IOS and Android Detection
On iOS devices, the malware typically disguised itself as modified versions of popular frameworks like AFNetworking or Alamofire, exploiting Apple’s Enterprise provisioning profile system that allows organizations to distribute internal apps without App Store approval.
While legitimate for corporate use, these Enterprise profiles provided cybercriminals with a pathway to install unsigned applications that could bypass Apple’s standard security screening processes.
In fact, they go as far as to create modified versions of legitimate open-source libraries that retain original functionality while adding malicious capabilities.
The corrupted AFNetworking framework, for example, maintained its original networking capabilities while secretly incorporating photo-stealing functionality through a hidden AFImageDownloaderTool class that activated during app loading through Objective-C’s automatic load selector mechanism.
This approach allowed the malware to remain dormant until specific conditions were met, such as users navigating to support chat screens where photo access requests would appear natural and less suspicious.
On Android platforms, the malware employed equally sophisticated distribution methods, embedding malicious code directly into app entry points while using legitimate cryptocurrency themes to attract target victims.
OCR Technology Turns Photos Into Digital Gold Mine
SparkKitty’s most dangerous feature is its sophisticated optical character recognition technology, which automatically identifies and extracts crypto-related information from victims’ photo galleries without requiring attackers to review them manually.
Unlike previous mobile malware that relied on bulk photo theft and manual analysis, SparkKitty employs Google ML (Machine Learning) Kit library integration to scan images for text patterns. It specifically searches for seed phrases, private keys, and wallet addresses that users commonly screenshot for backup purposes despite security recommendations against such practices.
As Kaspersky explained, the malware’s OCR implementation demonstrates advanced pattern recognition capabilities. It automatically filters images based on text content and sends only those containing crypto-related information to command-and-control servers.
The system looks for specific text blocks containing minimum word counts and character requirements, effectively distinguishing between casual photos and potentially valuable financial information.
This targeted approach reduces data transmission requirements while maximizing the value of stolen information, allowing attackers to process larger victim pools more efficiently.
Related campaigns discovered during Kaspersky’s investigation revealed even more sophisticated implementations, including versions targeting backup procedures by displaying fake security warnings instructing users to “back up your wallet key in the settings within 12 hours” or risk losing access to their wallets.
These social engineering overlays guide victims through accessing their seed phrases, allowing the malware’s Accessibility Logger to capture the information directly rather than relying solely on existing screenshots.
The broader implications extend beyond individual theft to include systematic crypto mining operations, as evidenced by related campaigns like the Librarian Ghouls APT group that combines credential theft with unauthorized Monero mining on compromised devices.
These dual-purpose attacks create ongoing revenue streams for cybercriminals, who steal existing crypto holdings and use victims’ computational resources to mine additional digital assets. Thus, compromised devices effectively become profit-generating infrastructure for extended periods.
Trending News
RecommendedPopular Crypto TopicsPrice Predictions