Michaela
Kaspersky Lab’s research arm, SecureList, has uncovered a new malware threat dubbed SparkKitty, designed to extract images from compromised devices in search of cryptocurrency seed phrases.
Cybersecurity researchers Sergey Puzan and Dmitry Kalinin from Kaspersky report that SparkKitty is actively attacking both iOS and Android platforms by sneaking into certain apps available through the Apple App Store and Google Play.
The report revealed that attackers embedded a malicious SDK or framework into certain apps, enabling the malware to activate once a user accessed a specific screen, often a support chat interface. At that point, it would request permission to access the device’s photo gallery and deploy an OCR model to identify and extract targeted images.
The researchers believe the newly identified spyware is linked to SparkCat, a previously discovered malware strain first documented earlier this year.
According to the findings, one of the malware delivery methods involved an app called 币coin, which presented itself as a cryptocurrency information tracker and was available on Apple’s App Store.
The malware was also distributed through an app called SOEX, a messaging platform claiming to offer cryptocurrency exchange functionalities, and was available on Google Play.
During routine surveillance of suspicious URLs, Puzan and Kalinin identified multiple nearly identical web pages distributing altered versions of TikTok for Android. These modified apps were engineered to execute hidden code upon launching their primary functions.
The report also detailed that the app displayed links from its configuration file as clickable buttons. When users tapped these, a WebView window opened, directing them to an online marketplace called TikToki Mall, which accepted cryptocurrency for purchases. However, iPhone users navigating the site experienced multiple redirects that led to a counterfeit App Store page urging them to download an app.
Although SparkKitty shares notable similarities with SparkCat and is likely developed by the same threat actors, several distinct differences have been identified.
“Unlike SparkCat, the spyware we analyzed above doesn’t show direct signs of the attackers being interested in victims’ crypto assets. However, we still believe they’re stealing photos with that exact goal in mind,” the researchers wrote.
The researchers’ data indicated that the primary targets of this malware campaign are users in Southeast Asia and China, with the majority of infected applications found within Chinese gambling games, TikTok modifications, and adult-themed games.
Read More
- Hackers Hide Malware in Fake Microsoft Office Add-Ons to Steal Crypto
- Microsoft Warns of StilachiRAT Malware Targeting Crypto Wallets
- North Korea’s Lazarus Group Targets Crypto Developers with Malware
Michaela has no crypto positions and does not hold any crypto assets. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Magazine and The Shib Daily are the official media and publications of the Shiba Inu cryptocurrency project. Readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.
