Overview

• The SparkKitty campaign has been active since February 2024 as an evolution of SparkCat, employing optical character recognition to focus on wallet seed phrases.
• It indiscriminately exfiltrated every image from infected devices, capturing screenshots and gallery photos without user knowledge.
• Kaspersky uncovered distribution through Google Play, the App Store, modded TikTok clones, enterprise provisioning profiles on iOS and malicious Xposed/LSPosed modules on Android.
• Google confirmed that Google Play Protect now blocks SparkKitty by default and has banned the SOEX developer, while Apple has not yet issued a public statement.
• Security experts recommend deleting unfamiliar apps, denying unnecessary storage permissions and storing wallet recovery phrases offline in secure locations.