A new, highly sophisticated mobile malware strain called SparkKitty has been actively targeting cryptocurrency users since February 2024. Now, the malware has invaded Windows as well as macOS networks. It uses a new and destructive Android malware variant that targets and steals crypto wallet credentials and other PII. Cybercriminals are employing increasingly sophisticated social engineering tactics to deceive victims. They can even fake being AI and Web3 startups in order to entice you into downloading malicious software. The scheme, which wasn’t caught for six months, led to the theft of 9.3 Bitcoin valued almost $1 million.

SparkKitty showcases advanced methods, such as the use of tools from the Realst and Atomic Stealer malware families. On Windows, it uses Electron-based applications to profile the target’s systems, download pipelines for malformed files, and execute them in stealth. This malware has compromised security checks to slip through the Google Play Store into victims’ devices and to Apple’s App Store, as well. Once installed, SparkKitty is able to immediately read seed phrases that are saved into the user’s photo library. It uses Optical Character Recognition (OCR) technology to scan screenshots of wallet credentials from infected devices.

SparkKitty's Modus Operandi

Given that SparkKitty is an evolution of the previous SparkCat campaign, it’s a clear example of how cybercriminals are refining their tactics over time. The malware has been used in combination with other lures, like sham blockchain games—like “Eternal Decay”—to further draw in victims. Eternal Decay used all sorts of underhanded tricks, such as modified photographs to misleadingly advertise attendance at industry conferences—and listing non-existent investors to look like they had actually raised money. First gameplay images of Eternal Decay, stolen from Zombie Within. In the light of the theft, just how bad the deception runs becomes clear.

The deployment of phony blockchain games is a central tactic of the SparkKitty campaign. By creating seemingly legitimate opportunities for users to engage with blockchain technology, cybercriminals can trick individuals into downloading and installing the malware. These fraudulent games typically lure players with the promise of in-game rewards or early access, targeting users looking to get into the crypto ecosystem.

"They’re building out fake companies with all the digital trimmings — even fake merchandise stores and doctored company registrations — just to get users to download malware." - Darktrace researcher

The scammers have developed elaborate sham businesses. To obfuscate their true intentions, they craft malicious digital storefronts and create legitimate-looking company registrations to entice users into downloading their malware. This lack of detail creates a climate where even the most experienced heavy hitters find it hard to tell promising opportunities from dangerous traps.

Rise in Crypto Phishing and Mobile Banking Trojan Attacks

The introduction of SparkKitty comes on the heels of an alarmingly high increase in crypto phishing detections and mobile banking Trojan attacks. Crypto phishing detections are up an average of 83.4% year-over-year. This steep jump underscores a growing trend of bad actors using crypto-centric scams and schemes to rip people off. Mobile banking Trojan attack volume has increased a major 3.6x over the earlier numbers.

These statistics further highlight the growing sophistication and prevalence of cyber threats aimed at the crypto space. As more people and commercial enterprises accept and use cryptocurrencies, cybercriminals have been changing their playbooks to target and exploit vulnerabilities and pilfer digital assets. Phishing and Trojan attacks have increased dramatically over the past few years. This increase further underscores the need for increased scrutiny and strong security protections while using crypto.

"This is one of the more elaborate and persistent social engineering campaigns we’ve seen targeting the crypto space." - Darktrace researcher

These campaigns are extraordinarily complex and extremely persistent. Together, they illustrate how far cybercriminals are willing to go to compromise crypto assets. Consumers need to be on guard and watch out for phishing scams when dealing with new websites, apps or people in the crypto world.

Defending Against SparkKitty and Similar Threats

Protecting against SparkKitty and other such dangers requires a multi-pronged approach. This multi-prong strategy should include user education, strong security measures and proactive monitoring. Teach users on the dangers of downloading and installing software from unknown origins. Highlight the need for continued vigilance to test websites and app legitimacy. Never store sensitive information such as seed phrases on photo galleries. Protect sensitive data. Avoid storing sensitive data in locations that are easy to access on your mobile devices.

Never reuse passwords and always use strong, unique passwords across all your online accounts. Use two-factor authentication (2FA) for your accounts whenever it is available to further protect yourself. Consistently deployed software updates are equally important in closing the door on vulnerabilities that cybercriminals turn into entry points for attacks. Users should be diligent in their use of trusted antivirus and anti-malware programs. This will make it easier for them to identify and eliminate bad software from their devices.

"Threat actors are going to great lengths to make these fake startups look real." - Darktrace

Proactive monitoring can be as simple as regularly checking for suspicious activity to any crypto wallet or bank account. Finally, users need to be on the lookout for phishing emails, texts, or phone calls. These might be phishing attempts to steal their personal information or hack into their accounts. By following these recommendations, users can greatly minimize their chances of becoming a victim of SparkKitty and other crypto-related scams.