Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Scientists from Kaspersky discovered a sophisticated new campaign of mobile Malware called “Sparkled“This has successfully infiltrated both Apple App Store and Google Play, specifically focused on Screenshots crypto wallet seed Saved in user galleries.
MalwareIt develops from the previously identified SPARKCAT campaign, uses optical character recognition technology (OCR) for scanning and exfiltrate images containing sensitive information about the crypt of iOS and Android.
The campaign, which is active since at least February 2024, focused primarily on users in Southeast Asia and China through infected applications masked as Mods Tiktok, Krypto portfolio trackers, gambling and adults that require access to photogallery under seemingly legitimate pretending.
These cyber criminals have successfully walked out official App Store security measures to deploy infected applications that seemed legitimate for automated screening and human reviewers.
Two important examples include the Soex Wallet Tracker, which masked as a portfolio management and has been withdrawn more than 5,000 times from Google Play, and Coin Wallet Pro, which was sold as a secure multi-chain wallet before promoting through social media and telegram channels.
How Sparkkitty’s Seed Phrase avoided iOS and Android detection
On iOS devices, malware usually disguised as modified versions of popular frames, such as AFnetworking or Alamofire, using the profile system to ensure the company’s business, which allows organizations to distribute internal applications without approval of the application with applications.
Although these company profiles are legitimate for company use, cyber criminals have provided the way to install unsigned applications that could bypass standard Apple security processes.
In fact, they go so far that they create modified versions of legitimate open source libraries that retain their original functionality and add harmful abilities.
Sparkkitty: Cute Name, Great Threat
New "Little brother" Sparkcat Malware is hidden in fake applications in the Google Play & App Store – exhibits all your photos, including sensitive screen images.
Protect yourself:Use encrypted storage
Scan #Kasperskypremium
Details:… pic.twitter.com/p3pergznp7– Kaspersky (@Kaspersky) June 23, 2025
For example, the damaged Afnetworking framework has maintained its original network capabilities, and at the same time secretly integrated the function of hiding photos through the hidden AfimaGedownload class, which was activated during the application of auto -loading C object.
This approach allowed malware to remain asleep until specific conditions, such as users of navigation to support the chat screens, where the requirements for access to photography seem natural and less suspicious.
On Android platforms, he used malware equally sophisticated distribution methods and put a malicious code directly into the input points of applications on the use of legitimate cryptocurrency topics to attract the target victims.
OCR technology changes photos to digital gold mine
The most dangerous feature of Sparkkitty is sophisticated optical character recognition technology, which automatically identifies and extracts crypto related information from photographic galleries without demanding that the attackers manually review them.
Unlike the previous mobile malware, which relied on the theft with bulk photo and manual analysis, Sparkkitty uses the integration of the Kit Google ML (Machine Learning) library to scan images for text formulas. Specifically, it searches for seed phrases, private keys and addresses that users commonly painted for backup purposes despite security recommendations against these practices.
As explained by Kaspersky, the implementation of OCR malware shows advanced patterns recognition capabilities. It automatically filters the text -based images and sends only those containing information about the cryptov site to command and control servers.
The system is looking for specific text blocks containing the minimum number of words and character requirements, effectively distinguishing between occasional photographs and potentially valuable financial information.
This targeted approach reduces data transfer requirements and at the same time maximizes the value of stolen information, which allows attackers to more efficiently process larger funds of victims.
Related campaigns discovered during Kaspersky’s investigation revealed even more sophisticated implementations, including versions focused on backup procedures by displaying false security warnings that users “back up the wallets in settings within 12 hours” or risk loss of access to their purses.
These social engineering It covers the victims by accessing their seed phrases, allowing you to capture the information availability directly, rather than relying only on the existing screen images.
Wider consequences exceed the individual theft to include systematic operations of crypto mining, as evidenced by related campaigns as Library Ghouls Apt Group that combines theft of credentials with unauthorized mining Monero on compromised devices.
A group of librarians Ghouls APT transformed Russian business computers into hidden crypts and stolen login data and private keys in sophisticated phishing campaigns focused on industrial enterprises.#Cryptohack …https://t.co/nslfte8bl6
– Cryptonews.com (@cryptonews) June 11, 2025
These double -purpose attacks are created by ongoing flows of income for cyber criminals who have stolen existing cryptometers and use computational sources of victims to benefit other digital assets. Thus, compromised devices become effectively becoming an infrastructure generating profit for a longer period of time.
Contribution Kaspersky warns the new crypto malware steals screenshots of seed phrases from iOS and Android He appeared for the first time Cryptonews.
