If you keep screenshots of login credentials or cryptocurrency seed phrases—or any sensitive content, really—in your phone’s photo gallery, you should go through and remove them. A spyware campaign targeting images is spreading through apps found on the Apple App and Google Play stores as well as third-party sources.
Identified by Kaspersky and reported by Bleeping Computer, SparkKitty malware gains access to photo galleries on iOS and Android, allowing it to exfiltrate images or data contained within them, possibly with the goal of stealing victims’ crypto assets as well as other compromising information.
SparkKitty steals images and screenshots
If SparkKitty infects your iOS device, it requests permission to access your photo gallery which, if granted, will allow the program to monitor for and exfiltrate new images. On Android, SparkKitty requests storage permissions to access images so that it can upload images along with device identifiers and metadata. It may also use Google ML Kit’s optical character recognition (OCR) to specifically target images like screenshots that contain text.
SparkKitty spreads through malicious apps that have been found (and subsequently removed) on the Apple App Store and Google Play Store. Kaspersky also discovered the malware in TikTok clones—distributed via unofficial platforms—that embed various fake apps, including cryptocurrency stores and gambling and casino apps.
SparkKitty may be an iteration of SparkCat, a photo-scanning malware that was first identified earlier this year but had likely been circulating for some time. While SparkCat specifically targeted crypto wallets using OCR to identify text keywords, SparkKitty appears to indiscriminately steal images from compromised galleries. Since some SparkKitty delivery vectors have been crypto-themed, Kaspersky researchers believe crypto theft is still the primary goal, though the possibility of other sensitive content being used maliciously—extortion, for example—remains.
What you need to do
iOS and Android users can take steps both to minimize or protect the sensitive data stored on their devices as well as limit the risk of falling victim to spyware like SparkKitty in the first place.
First and foremost, don’t keep photos or screenshots of your crypto seed phrase, login credentials, or sensitive content of any kind in your photo gallery. Doing so puts your accounts at risk if your device is compromised in any way, whether by malware or physical theft. Regular logins can be locked in a password manager behind several layers of security. Your crypto seed phrase may be safest split into sections and stored offline.
You should also exercise caution when downloading apps to your device, whether from the Google Play and Apple App stores or unofficial sources. Unfortunately, you can’t trust everything you find even on vetted platforms. Look for red flags: Check the developer’s history and scrutinize reviews, especially if there are a lot of glowing reviews relative to the number of downloads. Be wary of requests to access your photo gallery, especially if those permissions aren’t related to the app’s functionality. In fact, you should pay close attention to permissions requested any time you install a new app—don’t just blindly allow them.
Finally, ensure Google Play Protect, which has live threat detection, is active on Android, and keep an eye out for warning signs of a malware infection on your device.
