New Mobile Spyware SparkKitty Targets Users’ Crypto Wallet Credentials
A new mobile spyware strain, SparkKitty, has been discovered on Apple’s App Store and Google Play, disguised as crypto-themed and modified apps. It targets users to extract seed phrases and wallet credentials.
Key details include:
- Successor to SparkCat, which used fake support chats to access user images.
- Confirmed in multiple official apps, including a messaging app with crypto features and an iOS portfolio tracker named “币coin.”
- iOS version employs a modified AFNetworking or Alamofire framework to exfiltrate data upon app launch.
- Android variant uses altered Java libraries and Google ML Kit for image processing to identify sensitive information.
- Victims must trust a developer certificate linked to “SINOPEC SABIC Tianjin Petrochemical Co. Ltd.” for system-level permissions.
- Command-and-control (C2) addresses utilize AES-256 encrypted configuration files for instructions on data theft.
- Targets primarily focus on users in China and Southeast Asia but are not regionally restricted.
- Apple and Google removed the affected apps after the discovery; however, the campaign may continue through side-loaded variants.
Kaspersky researchers noted an evolution in the malware's toolset and continuous distribution methods. The threat remains active since early 2024.