SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play


In January 2025, Kaspersky researchers uncovered the SparkCat spyware campaign, which was aimed at gaining access to victims’ crypto wallets. The threat actor distributed apps containing a malicious SDK/framework.

This component would wait for a user to open a specific screen (typically a support chat), then request access to the device’s gallery. It would then use an OCR model to select and exfiltrate images of interest. Although SparkCat was capable of searching for any text within images, that campaign specifically targeted photos containing seed phrases for crypto wallets. The malware was distributed through unofficial sources as well as Google Play and App Store. Now, Kaspersky once again come across a new type of spyware that has managed to infiltrate the official app stores. The Researchers believe it is connected to SparkCat and also targets the cryptocurrency assets of its victims.

Read more…
Source: Kaspersky


Sign up for our Newsletter
The latest news and insights delivered right to your inbox.


Related:

  • Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

    January 2, 2018

    A fundamental design flaw in Intel’s processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug. Programmers are scrambling to overhaul the open-source Linux kernel’s virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch ...

  • MacOS LPE Exploit Gives Attackers Root Access

    January 2, 2018

    A researcher that goes by the handle “Siguza” released details of a local privilege escalation attack against macOS that dates back to 2002. A successful attack could give adversaries complete root access to targeted systems. Siguza released details of the attack on Dec. 31 via Twitter, wishing followers a “Happy New Year” and linked to a ...

  • Triton Malware Targets Industrial Control Systems in Middle East

    December 15, 2017

    Researchers found malware called Triton on the industrial control systems of a company located in the Middle East. Attackers planted Triton, also called Trisis, with the intent of carrying out a “high-impact attack” against an unnamed company with the goal of causing physical damage, researchers said. FireEye’s Mandiant threat research team revealed the existence of the malware ...

  • 19-Year-Old TLS Vulnerability Weakens Modern Website Crypto

    December 13, 2017

    A vulnerability called ROBOT, first identified in 1998, has resurfaced. Impacted are leading websites ranging from Facebook to Paypal, which are vulnerable to attackers that could decrypt encrypted data and sign communications using the sites’ own private encryption key. The vulnerability is found in the transport layer security protocol used for Web encryption. A successful attack could ...

  • Why bother cracking PCs? Spot o’ malware on PLCs… Done. Industrial control network pwned

    December 12, 2017

    Security researchers have demonstrated a new technique for hacking air-gapped industrial control system networks, and hope their work will encourage the development of more robust defences for SCADA-based systems. Air-gapped industrial networks are thought to be difficult if not impossible to hack partly because they are isolated from the internet and corporate IT networks. However, in ...

  • Process Doppelgänging: New Malware Evasion Technique Works On All Windows Versions

    December 7, 2017

    A team of security researchers has discovered a new malware evasion technique that could help malware authors defeat most of the modern antivirus solutions and forensic tools. Dubbed Process Doppelgänging, the new fileless code injection technique takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader. Ensilo security researchers Tal Liberman and Eugene Kogan, who ...