Kaspersky reports compromised mobile malware stealing users’ crypto seed phrases
The post Kaspersky reports compromised mobile malware stealing users’ crypto seed phrases appeared on BitcoinEthereumNews.com.
Kaspersky security researchers have uncovered a mobile malware campaign targeting cryptocurrency users through infected applications. SparkKitty spyware reportedly steals device screenshots containing seed phrases using optical character recognition technology across iOS and Android platforms through official app stores. SparkKitty malware infiltrates official app stores targeting crypto Kaspersky researchers discovered the SparkKitty spyware campaign in January 2025, following their previous identification of SparkCat malware targeting cryptocurrency wallets. The new threat distributes malicious applications through unofficial sources as well as official Google Play and App Store platforms, with infected apps already removed from Google Play following researcher notifications. SparkKitty attacks iOS and Android platforms with multiple delivery mechanisms for each. On iOS, malware payloads are delivered through frameworks that masquerade as legitimate libraries like AFNetworking.framework or Alamofire.framework, or obfuscated libraries masquerading as libswiftDarwin.dylib. The malware also inserts itself directly into applications. Android operating systems employ both Java and Kotlin languages, with Kotlin versions employed as malicious Xposed modules. The majority of malware versions indiscriminately hijack all the images on devices, although researchers detected similar malicious clusters employing optical character recognition to attack specific pictures with sensitive information. The campaign has been active since at least February 2024, and it has also shared targeting tactics and infrastructure with the previous SparkCat operation. SparkKitty has a wider reach than SparkCat’s targeted attack on cryptocurrency seed phrases because it scrapes all images that are available from infected devices. This has the potential to harvest other kinds of sensitive financial and personal information stored in device galleries. TikTok mods from obscure stores serve as primary infection vector Kaspersky analysts initially came across the campaign when tracking regularly suspicious links that were propagating modifications of TikTok Android apps. The modified apps executed additional malware code when users launched main app activities. The config file URLs were presented…
Filed under: News - @ June 24, 2025 11:25 am