InfoSecBulletin Cybersecurity for mankind
Kaspersky found a new mobile malware dubbed SparkKitty in Google Play and Apple App Store apps, targeting Android and iOS.
This malware may represent an advanced version of SparkCat, which Kaspersky identified back in January. SparkCat employed optical character recognition (OCR) technology to extract cryptocurrency wallet recovery phrases from images stored on compromised devices.
WhatsApp banned on all US House of Representatives devices
Kaspersky found “SparkKitty” Malware on Google Play, Apple App Store
OWASP AI Testing Guide Launched to Uncover Vulns in AI Systems
Axentec Launches Bangladesh’s First Locally Hosted Tier-4 Cloud Platform
Hackers Bypass Gmail MFA With App-Specific Password Reuse
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
During crypto wallet installation, users are advised to record the recovery phrase and store it safely offline. Access to this seed phrase can be used to restore a crypto wallet and its stored assets on another device, making them a valuable target for threat actors.
While taking a screenshot of your seed phrase is never a good idea, some people do so for convenience.
A report from Kaspersky reveals that the new SparkKitty malware indiscriminately pilfers every image from the photo gallery of an infected device.
Kaspersky suggests that the malware targets crypto wallet seed phrases, but the stolen data might also be exploited for extortion if it includes sensitive content.
The SparkKitty malware:
The SparkKitty campaign has been spreading since February 2024, using both official app stores and unofficial sites.
Kaspersky identified two malicious apps: 币coin on the Apple App Store and SOEX on Google Play. Both have been removed as of now.
SOEX is a messaging app that also allows cryptocurrency exchange and has been downloaded over 10,000 times from the Android app store.
Kaspersky found altered TikTok clones that include fake cryptocurrency stores, gambling apps, adult games, and casino apps featuring SparkKitty, all spread through unofficial channels.
On iOS, SparkKitty is included as fake frameworks (AFNetworking.framework, libswiftDarwin.dylib) and may be distributed through enterprise provisioning profiles.
Malware on Android is found in Java/Kotlin apps, including those with harmful Xposed/LSPosed modules.
The harmful framework exploits the Objective-C ‘+load’ method to run code automatically when an iOS app starts. It checks configurations by reading keys from the app’s Info.plist and continues execution only if the values match certain strings.
Malware on Android activates when an app launches or when users perform certain actions, like opening a specific screen. Once active, it fetches and decrypts a remote config file with AES-256 (ECB mode) to obtain C2 URLs.
On iOS, the malware asks for access to the photo gallery, while on Android, it requests storage permissions to access images. If granted on iOS, the malware monitors the gallery for changes and steals new or unuploaded images. To read the full report click here.
