Some of these apps managed to bypass the security controls of official stores, racking up thousands of downloads before being removed, according to the Kaspersky report.
“The data shows that this campaign is primarily targeting users in Southeast Asia and China. However, that doesn't mean other countries are beyond SparkKitty's grasp. The malware has been spreading since at least early 2024, and in the past year and a half, the attackers have likely considered expanding their operations to other countries and continents. Nothing stops them.”
Kaspersky, security firm.
How does SparkKitty work?
SparkKitty's operation is alarmingly simple. Once installed, the malicious app requests access to the photo gallery, a permission that users often grant without suspecting.
From there, it scans all images, identifying wallet seed phrases or sensitive data using OCR, and sends them to attacker-controlled servers . In some cases, the malware uses social engineering, displaying fake warnings that encourage users to save their seed phrases in screenshots, facilitating the theft.
This malware is an evolution of SparkCat, identified by Kaspersky in January 2024. Unlike its predecessor, SparkKitty does not selectively filter images, but steals all photos from the gallery, increasing the risk of exposing sensitive data, such as passwords or private messages.
To avoid falling victim to SparkKitty, users should take strict security measures. Never store seed phrases in screenshots or the device's gallery. Instead, it's recommended to use a secure physical medium, such as paper, or a trusted password manager.
Reviewing installed apps and removing those of dubious origin is another Kaspersky recommendation. Additionally, denying gallery access permissions to apps that don't require it and using antivirus solutions on Android, such as Google Play Protect, mitigates these risks.