Sparkkitty Searches for Crypto Seed Phrases in Screenshots

According to SlowMist and Kaspersky, #SparkKitty steals media files to scavenge for crypto wallet seed phrases. In a report, Sergey Puzan and Dmitry Kalinin, analysts from Kaspersky, noted that the targets for the malware are infected iOS and Android devices. It spreads on these devices by hiding within certain apps available on the Apple App Store and Google Play Store.

More specifically, Puzan and Kalinin believe that screenshots of crypto wallet seed phrases and other sensitive data are SparkKitty’s main media files of interest. SparkCat employed the same tactics, which Kaspersky identified in an investigation in January.

The malware appears to have no regional boundaries, though users in Southeast Asia and China seem to be the most frequently targeted.

币coin, a supposed crypto information tracker on the App Store, and #SOEX are two apps identified to deliver the SparkKitty malware.

SOEX is a messaging app with “crypto exchange features” on Google Play. What they both have in common is the fact that they focus on digital assets.

SparkKitty was discovered to have been delivered through casino apps, adult-themed games, and malicious TikTok clones.

Kaspersky analysts revealed that the SOEX app had been uploaded to Google Play and downloaded more than 10,000 times. After being notified, Google removed the app from the store and blacklisted its developer.

According to a Google spokesperson, “Android users are automatically protected against this app regardless of download source by Google Play Protect, which is on by default on Android devices with Google Play Services.”

In the past, Google has taken similar actions against suspicious apps. For example, two years ago, the Chinese e-commerce app Pinduoduo was suspended after malware was found in unauthorized versions of the software.