Kaspersky's security experts have detected a mobile malware campaign targeting cryptocurrency users through infected applications.
The SparkKitty spyware has been documented stealing screenshots containing seed phrase phrases using optical character recognition (OCR) technology on both iOS and Android platforms through official app stores.
The SparkKitty malware infiltrates mainstream app stores, targeting cryptocurrency.
Kaspersky researchers discovered the SparkKitty espionage campaign in January 2025, following the identification of the SparkCat malware that specifically targeted cryptocurrency wallets earlier. This threat distributes malicious applications through both unofficial sources and Google Play and the App Store; the infected apps were removed from Google Play after warnings.
SparkKitty targets both iOS and Android with different deployment mechanisms. On iOS, the malware payload is delivered through frameworks that emulate legitimate libraries such as AFNetworking.framework or Alamofire.framework, or through a spoofed library masquerading as libswiftDarwin.dylib. The malware is also directly integrated into the application.
On Android, SparkKitty uses Java and Kotlin, where the Kotlin version is a harmful Xposed module. Most malware versions take control of all images on the device, but research groups found that malicious clusters using OCR selectively attack images containing sensitive information.
The campaign has been active since at least February 2024 and shares many attack techniques and infrastructure with the previous SparkCat campaign.
Compared to SparkCat, which only targeted seed phrases, SparkKitty has a broader scale by collecting all images on the infected device, posing a risk of stealing more financial and personal data.
The TikTok mod from unverified app stores is the main entry point.
Kaspersky experts detected the campaign while monitoring suspicious links continuously spreading a mod of TikTok on Android. This variant application runs additional malicious code when the user launches the main activity of the app.
The configuration URL is presented as a button in the infected app, launching a WebView session to display TikToki Mall – an e-commerce portal that accepts cryptocurrency payments.
Registration and purchases only allow the entry of invitation codes, preventing researchers from verifying the level of activity or the legitimacy of the store. On iOS, the loophole is the enterprise profiles from the Apple Developer Program being exploited to bypass standard app installation restrictions.
Screenshots of the infected application on the App Store.
Hackers exploit enterprise certificates to distribute organizationally signed apps, allowing the installation of malicious apps on any device without approval from the App Store. The abuse of enterprise profiles is common with inappropriate apps such as online casinos, crack software, or pirated mods.
The infected TikTok iOS version requests access to the photo library immediately upon launch – a feature not present in the official TikTok version. The malware is embedded in a spoofed framework AFNetworking.framework, modifying the AFImageDownloader classes and other components of AFImageDownloaderTool.
The Android malware version steals photos through cryptocurrency-themed applications.
The Android version of SparkKitty operates through cryptocurrency applications with embedded malicious code at the entry points. The malware requests a configuration file containing the command and control (C2) server address, decrypting it using AES-256 ECB before establishing communication with the remote server.
The process of stealing photos occurs in a two-step procedure, including identifying the device's 'fingerprint' and a mechanism for uploading selected images. The malware generates MD5 hashes combining the IMEI, MAC address, and a random UUID, storing these identifiers on external memory.
Profile installation process. Source: Kaspersky.
The casino application integrates the LSPosed framework acting as an Xposed module targeting the app's entry point. A messaging app that integrated cryptocurrency exchange features had over 10,000 installs before being removed from Google Play following Kaspersky's warning.
Progressive Web Apps (PWAs) are disseminated through scam platforms promoting Ponzi schemes on popular social networks. The page containing the PWA requires users to download an APK file, register to process content including JPEG and PNG images, processed using Google ML Kit OCR to scan screenshots containing text.
Source: https://tintucbitcoin.com/canh-bao-malware-lay-cap-seed-phrase/
Thank you for reading this article!
Please Like, Comment, and Follow TinTucBitcoin to stay updated with the latest news on the cryptocurrency market and not miss any important information!
