Kaspersky researchers have discovered new malware called SparkKitty, which is actively attacking cryptocurrency users in China and Southeast Asia.
How SparkKitty Works
SparkKitty infects smartphones and covertly scans all saved images on the device. The malware specifically looks for screenshots of wallet recovery phrases—a common backup method for 12- or 24-word seed phrases. Once detected, the malware can extract and transmit this sensitive information, allowing attackers to hijack users’ wallets.
Infection through Legitimate Apps
The SparkKitty malware spreads by masquerading as legitimate mobile applications, including:
* "币 coin" – a cryptocurrency tracking app available on the Apple App Store. * "SOEX" – a messaging and trading app with over 100,000 downloads on Google Play, claiming to offer crypto trading features.
These apps acted as entry points for SparkKitty to infect devices without raising immediate suspicion. Kaspersky has since notified Google and Apple, and the apps have been removed from their respective stores.
Global Threat and Recommendations
Researchers believe SparkKitty is linked to another malware called SparkCat, discovered in January 2024. Both share code structures and behavioral patterns. SparkKitty has reportedly been in operation since at least early 2024, quietly targeting users in Asia. Although the malware’s current focus is on China and Southeast Asia, Kaspersky warned that its technical capabilities pose a global threat. Cryptocurrency users are urged to avoid storing sensitive recovery data in unencrypted photo albums and to be cautious of apps with unclear provenance, even on official app stores.
The SparkKitty malware poses a serious threat to cryptocurrency users, highlighting the need for awareness and caution when using mobile applications.
