Full Report
A new mobile crypto-stealing malware called SparkKitty was found in apps on Google Play and the Apple App Store, targeting Android and iOS devices. [...]
Analysis Summary
# Tool/Technique: Mobile Application Malware Targeting Photo and Crypto Data
## Overview
This summary details malware discovered distributing via the official Google Play Store and Apple App Store that specifically targeted user photos and cryptocurrency wallet seed phrases stored on mobile devices. The finding highlights that official app stores are not immune to hosting malicious applications.
## Technical Details
- Type: Malware family (Undetermined specific name, referred to generically based on impact)
- Platform: Android (Google Play), iOS (Apple App Store)
- Capabilities: Exfiltration of photos, harvesting of cryptocurrency wallet seed phrases.
- First Seen: Not explicitly provided in the context, but recently discovered/reported.
## MITRE ATT&CK Mapping
* (Note: Specific ATT&CK IDs are inferred based on the described actions, as the specific malware name/ID is missing.)
- T1083 - Collection
- T1083.001 - File and Directory Discovery
- T1083.003 - Archive Collected Data
- T1560 - Archive via Utility
- T1560.001 - Archive via Utility: OS Utility (Likely for packaging stolen data)
- T1041 - Exfiltration Over C2 Channel (Implied method of sending stolen data)
## Functionality
### Core Capabilities
- Bypassing app store vetting processes to reach general users.
- Requesting and gaining access to the user's photo gallery/storage.
- Stealing sensitive user data, including photos.
### Advanced Features
- Targeting highly sensitive cryptocurrency recovery information (wallet seed phrases stored as images).
- Persistence on both Android and iOS platforms via their official distribution channels.
## Indicators of Compromise
- File Hashes: Not provided.
- File Names: Not provided (The indicators are the specific applications distributed).
- Registry Keys: Not applicable (Mobile OS context).
- Network Indicators: Not explicitly provided for C2 communication.
- Behavioral Indicators: Applications requesting excessive permissions, particularly storage/gallery access unrelated to core functionality. Fake reviews, low download counts coupled with high positive ratings, and suspicious publisher histories.
## Associated Threat Actors
- Undetermined. The context implies financially motivated actors focused on harvesting cryptocurrency assets stored insecurely by users.
## Detection Methods
- Signature-based detection: Ineffective initially, as apps bypassed checks. Google Play Protect reported automatic protection for Android users post-discovery.
- Behavioral detection: Monitoring for applications requesting gallery access when not functionally required (e.g., a simple utility demanding full photo access).
- YARA rules: Not available based on context.
## Mitigation Strategies
- **For Users (General):** Do not blindly trust applications on official stores; scrutinize apps for red flags (fake reviews, doubtful publishers, suspicious functionality).
- **For Users (Permissions):** Deny requests for storage/gallery access if they are not strictly necessary for the app's core function.
- **For Users (iOS):** Avoid installing configuration profiles or certificates unless from a verified, trusted source.
- **For Users (Android):** Ensure Google Play Protect is enabled and run regular full-device scans.
- **For Crypto Holders:** Store cryptocurrency wallet seed phrases **offline** securely instead of storing images of them on mobile devices.
- **Platform Response:** Google has removed the reported application and banned the developer.
## Related Tools/Techniques
- Vetting bypass techniques used by mobile malware authors to infect official stores.
- Mobile Stealer families.