SparkKitty malware on Google Play and App Store steals photos and crypto wallets using OCR, exposing millions to privacy and financial risks.

Continue reading
A sophisticated mobile malware campaign has successfully infiltrated both Google Play and Apple's App Store, stealing users' personal photos and cryptocurrency assets through a malicious software dubbed SparkKitty. Security researchers at Kaspersky have exposed this critical threat that represents an alarming evolution in mobile cybercrime, targeting millions of users worldwide through seemingly legitimate applications.
SparkKitty represents a dangerous evolution of the SparkCat malware discovered in January 2024, employing advanced optical character recognition (OCR) technology to systematically steal sensitive data from infected devices. The malware operates through a sophisticated multi-stage attack process that has caught both Apple and Google’s security systems off guard.
The attack sequence begins when users download infected applications from official app stores. Two primary malicious applications were identified: SOEX, a messaging app with cryptocurrency exchange features downloaded over 10,000 times from Google Play, and 币coin, a cryptocurrency information tracker on Apple’s App Store.
Once installed, SparkKitty requests access to device photo galleries under the pretense of legitimate app functionality. On iOS devices, the malware automatically executes using the Objective-C '+load' method, while Android versions trigger during app launch or specific user actions. The malware then retrieves encrypted configuration files using AES-256 encryption to establish command-and-control server connections.
The SparkKitty campaign has demonstrated unprecedented reach and sophistication in mobile malware attacks. Kaspersky researchers confirmed that infected applications achieved over 242,000 downloads through Google Play alone, with additional distribution through unofficial channels and modified applications.
The malware's primary objective involves systematically exfiltrating entire photo libraries from infected devices, specifically targeting cryptocurrency wallet recovery phrases stored as screenshots. These seed phrases provide complete access to victims’ digital wallets, enabling attackers to steal substantial cryptocurrency holdings. Beyond crypto theft, the malware poses severe privacy risks by stealing personal photographs that could be used for extortion or identity theft.
SparkKitty employs multiple sophisticated techniques to evade detection and maximize data theft. On iOS platforms, the malware disguises itself within fake frameworks, including AFNetworking.framework and libswiftDarwin.dylib, often delivered through enterprise provisioning profiles. Android implementations utilize malicious Xposed and LSPosed modules to exploit low-level system vulnerabilities.
The malware's OCR capabilities represent a significant technological advancement in mobile cybercrime. Some variants integrate Google's ML Kit library to perform intelligent text detection, filtering images to identify only those containing sensitive textual information such as recovery phrases or passwords. This targeted approach reduces data transmission requirements while maximizing the value of stolen information.
Both Google and Apple have responded to the SparkKitty disclosure by removing identified malicious applications and banning associated developer accounts. Google spokesperson Ed Fernandez confirmed that _"all identified apps have been removed from Google Play, and the developers have been banned,"_ while emphasizing that Google Play Protect provides automatic protection against known malware variants.
However, the successful infiltration of official app stores raises serious questions about current security review processes. Despite Apple's rigorous app review procedures, SparkKitty bypassed multiple security layers, highlighting critical vulnerabilities in mobile platform security.
SparkKitty's distribution extends far beyond official app stores, encompassing a sophisticated network of malicious applications and modified software. Researchers identified infected TikTok clones, gambling applications, adult-themed games, and casino apps distributed through unofficial channels. The campaign focuses on users in China and Southeast Asia, though its technical architecture poses global security risks.
The malware's multi-language OCR capabilities support English, Chinese, Japanese, Korean, and various European languages, indicating broad international targeting.
Security experts emphasize several crucial protective measures for mobile users. Primary recommendations include never storing cryptocurrency recovery phrases as device screenshots, implementing strict app permission controls, and avoiding installation of applications from unverified sources.
Kaspersky analysts Sergey Puzan and Dmitry Kalinin recommend immediately deleting suspicious applications and regularly running security scans using reputable mobile security solutions. Users should scrutinize app permissions, particularly requests for photo gallery or storage access that seem unrelated to core app functionality.
The SparkKitty campaign represents a critical escalation in mobile malware sophistication and demonstrates the urgent need for enhanced platform security measures. With mobile malware attacks reaching 12 million incidents in Q1 2025 alone, the threat landscape continues expanding rapidly.
The successful infiltration of official app stores by OCR-equipped malware signals a new era of mobile cybercrime that traditional security measures struggle to address. As cryptocurrency adoption increases globally, similar campaigns targeting digital assets through mobile devices will likely proliferate, requiring immediate industry-wide security improvements and user education initiatives.
The SparkKitty incident serves as a stark reminder that official app stores cannot guarantee absolute security. Combating evolving mobile threats requires heightened vigilance from both users and platform operators.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.