A newly discovered Trojan malware, SparkKitty, is raising alarms across the cybersecurity community after infiltrating official app stores and untrusted websites to compromise both iOS and Android devices.
Active since early 2024, SparkKitty indiscriminately steals users’ gallery photos, posing a massive threat to personal privacy, particularly for those storing cryptocurrency seed phrases or sensitive documents as images on their devices.
SparkKitty exemplifies a sophisticated evolution in mobile malware. It exploits cross-platform capabilities: Android variants are crafted in Java and Kotlin, while iOS attacks leverage Objective-C.
On Android, malware-laced apps, such as SOEX, a messaging and cryptocurrency trading platform, initiated the infection chain, even passing Google Play Store vetting and reaching over 10,000 downloads before removal.
The malware may deploy malicious Xposed modules, allowing it to inject hostile code into otherwise trusted applications.
iOS users are similarly at risk. SparkKitty exploits Apple’s enterprise provisioning profiles, a developer feature meant for internal app distribution, to sideload malicious software outside the typical App Store review process.
The malware masquerades as legitimate frameworks, such as AFNetworking, and activates itself using Objective-C’s automatic class loading.
It includes meticulous checks validating the presence of specific keys in an app’s Info.plist file to ensure deployment only in targeted environments.
Upon activation, SparkKitty decrypts its configuration from an encrypted Base64 string using AES-256 in ECB mode. It then scans the device’s gallery, uploading every accessible image to its command-and-control (C2) servers through endpoints like /api/putImages.
This is a stark departure from the SparkCat campaign, which previously targeted photos selectively using OCR.
SparkKitty, by comparison, exfiltrates all gallery images, dramatically increasing the risk of exposing wallet seed phrases, IDs, or confidential documents.
SparkKitty demonstrates exceptional stealth. It maintains a local database to track already-stolen images and monitors for new additions, ensuring continuous theft.
Its infrastructure is robust, utilizing cloud services such as AWS S3 and Alibaba OSS for resilient payload delivery and data exfiltration.
The malware’s presence in seemingly innocuous apps spanning cryptocurrency, gambling, and even trojanized TikTok mods reveals a calculated focus on high-risk verticals.
While the primary victims are users in Southeast Asia and China, SparkKitty’s technical design imposes no geographic limits.
Given SparkKitty’s ability to breach even official app stores, users should avoid saving sensitive information as screenshots in their phone galleries.
Always verify app sources, scrutinize permissions requested, and avoid sideloading or using untrusted enterprise provisioning profiles. As SparkKitty proves, the mobile threat landscape is evolving rapidly, and only heightened caution can keep your data safe.
PolySwarm has multiple samples of SparkKitty.
21879ce5a61e47e5c968004d4eebd24505e29056139cebc3fe1c5dd80c6f184f
381570757ecd56c99434ff799b90c2513227035c98d2b9602ae0bb8d210cac4c
1d2e41beb37e9502d1b81775a53a6e498842daed93fe19cdcd4cbd2a7228d12d
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…