Protect your seed phrases at all times. A new virus is out and hunting for crypto wallets. The SparkKitty Trojan, a strain of mobile malware, infects both Android and iOS smartphones searching for sensitive data and providing attackers with means to siphon off funds. Currently, the virus primarily targets Southeast Asia and China residents, though the threat could expand globally.
The malware lurks in apps linked to cryptocurrency, gambling, and even TikTok mods (modified versions of the app), distributed through scam websites as well as official app distribution channels, i.e., App Store and Google Play.
First identified by Kaspersky researchers, SparkKitty is linked to the earlier SparkCat campaign discovered by the same company in February this year. Experts suggest the hackers repackaged the virus and embedded it into new apps.
SparkKitty – the infection chain
SparkKitty masquerades as familiar frameworks, such as AFNetworking.framework and Alamofire.framework on iOS, or as Java/Kotlin-based Xposed modules on Android. In this disguise, it’s able to slip past App Store and Google Play screenings, making its way onto users’ phones. The malware also spreads through third-party marketplaces and phishing sites offering modified TikTok mods, driving downloads through social links or Telegram channels.
Once installed, the compromised app requests permissions unusual for its function. Users are tricked into installing developer profiles or granting special rights, allowing the malware to bypass protections. After installation, the Trojan remains dormant until the user opens a specific screen, typically a support chat. Then, the malware prompts for permission to access the photo gallery. If access is granted, it SparkKitty uses optical character recognition (OCR) to scan images, searching for screenshots with text, specifically seed phrases.
Identified screenshots and any harvested text are encrypted (AES-256 or similar) and exfiltrated to attacker-controlled command-and-control endpoints, often hosted on cloud services like AWS S3 or Alibaba OSS, enabling rapid redeployment of updated payloads if needed.
With seed phrases in hand, attackers import wallets and drain all funds within minutes. The campaign, active since at least early 2024, has already hit thousands of users before Kaspersky’s takedown requests led to the removal of the infected apps from official stores.
SparkKitty – infected apps
Kaspersky researchers have identified several apps through which the SparkKitty Trojan has infected iOS and Android devices, primarily targeting cryptocurrency users. The full list is evolving as the investigation continues. Here’s a snapshot of SparkKitty’s footprint across iOS and Android.
币coin
This app, posing as a cryptocurrency information tracker, was available on the official Apple App Store. It passed Apple’s review process before being flagged as malicious and removed.
Coin Wallet Pro
Marketed as a secure multi-chain wallet, Coin Wallet Pro gained traction through social media ads and Telegram channels. It briefly appeared on the Apple App Store before being removed.
Soex Wallet Tracker
A portfolio management app available on Google Play, downloaded over 5,000 times before being delisted.
Fake TikTok, casino, gambling, and adult game apps
Trojanized TikTok clones, casino apps, adult-themed games, and gambling apps distributed via official and unofficial channels also carried the malware.
How to protect a seed phrase from crypto theft?
Online threats to crypto wallets are getting more and more sophisticated. SparkKitty is just the latest example of the long-term trend. Malware targeting seed phrases by exploiting mobile device permissions and biometric bypasses poses a serious risk and shouldn’t be underestimated. Here are essential steps to keep your crypto assets secure.
1. Never store seed phrases digitally on connected devices
Avoid taking photos or screenshots of your seed phrase, and never save it in cloud storage or note-taking apps synced online.
2. Use physical storage methods
Write down your seed phrase on paper and keep it in a secure, private location. Some users opt for metal seed phrase storage devices designed to withstand physical damage, ensuring your backup remains intact even in adverse conditions.
3. Avoid granting unnecessary permissions
Avoid apps requesting access to your photo gallery or other sensitive data, especially if they are crypto-related but come from unofficial sources.
4. Use hardware wallets when possible
Hardware wallets store your private keys offline, making them immune to malware like SparkKitty. Even if your phone or computer is compromised, your crypto assets remain safe as long as the hardware wallet is used correctly.
5. Keep devices and apps updated
Regularly update your mobile operating system and wallet apps. Security patches often fix vulnerabilities that malware exploits to bypass biometric checks or escalate privileges.
6. Enable additional security layers
Where available, enable multi-factor authentication (MFA) on your wallet accounts and related services. While MFA doesn’t protect the seed phrase itself, it adds a valuable barrier against unauthorized access.
7. Be skeptical of unknown apps and links
Avoid downloading crypto wallets or related apps from unofficial stores or links received via email, social media, or messaging apps.
Following these best practices will help you significantly reduce the risk of losing your seed phrase to bad actors.
