SparkKitty Strikes – A Wild App Store and Google Play Invasion on iOS and Android!

A sophisticated new wave of spyware, affectionately dubbed by security researchers as the “SparkKitty” campaign, has infiltrated both Apple’s App Store and Google Play, targeting unsuspecting crypto users while leveraging a range of technical tricks to evade detection.

This campaign, linked to the notorious SparkCat operation, demonstrates the evolving complexity and persistence of mobile threats, highlighting their ability to persist on official platforms and compromise devices worldwide.

Technical Sophistication: How SparkKitty Infiltrates Devices

Security analysts have traced SparkKitty’s presence in the wild since at least February 2024.

Its technical arsenal boasts cross-platform compatibility: on iOS, the malware is delivered as malicious frameworks masquerading as well-known libraries, such as AFNetworking.framework or Alamofire. framework, or as obfuscated libraries, such as libswiftDarwin.dylib.

These rogue frameworks can be embedded directly into seemingly legitimate apps, allowing the malware to bypass Apple’s stringent review process.

On Android, SparkKitty arrives through both Java- and Kotlin-based Trojans. The latter often functions as a malicious Xposed module, hooking into the core apps and intercepting critical functions.

To further enhance its stealth, SparkKitty employs sophisticated methods to retrieve encrypted configuration files from remote servers, decrypting them using AES-256 in ECB mode with either hardcoded or dynamically acquired keys.

A particularly clever aspect of SparkKitty’s operation is its use of Objective-C’s class loading mechanism on iOS: by leveraging the special +load selector, malicious code can execute as soon as the infected app starts, without raising immediate suspicion.

This payload checks app configuration files for specific keys and values, decrypting further instructions and command-and-control (C2) addresses as required.

The malware then establishes communication with these C2 servers, requesting permission to exfiltrate sensitive user data.

Gallery Grab & Crypto Targeting: The Core of SparkKitty

SparkKitty is designed to pilfer images and data from victims’ devices. On iOS, once proper credentials are received from the C2, the malware requests access to the photo gallery.

It monitors for new additions, uploading any fresh or previously unseen images to attacker-controlled servers using multipart/form-data POST requests.

Device identifiers, app details, and user data are bundled in these transmissions, providing attackers with rich context for their operations.

On Android, similar tactics are at play. The malware scans storage for images, utilizes optical character recognition (OCR) to identify crypto-related content (such as wallet seed phrases), and uploads the results to command-and-control (C2) servers.

Some versions are even embedded in legitimate-looking messaging and crypto exchange apps, which, alarmingly, had been installed by over 10,000 users from Google Play before being removed.

Ongoing Threat and User Advice

SparkKitty’s persistence on official app stores highlights a troubling trend: threat actors are finding ways to evade platform security and compromise users at scale.

Its cross-platform focus, use of advanced encryption, and ability to selectively exfiltrate sensitive images make SparkKitty a formidable adversary.

Users are urged to:

• Download apps only from reputable sources.
• Be wary of apps that request unnecessary permissions, especially access to photos or storage.
• Monitor for app updates and security alerts, and uninstall any suspicious applications.
• Report suspicious apps to Apple or Google.

Security products are now detecting this threat under the signatures:

• HEUR:Trojan-Spy.AndroidOS.SparkKitty.*
• HEUR:Trojan-Spy.IphoneOS.SparkKitty.*

Although SparkKitty primarily targets users in Southeast Asia and China, its technical capabilities are not region-locked, making it a potential risk for anyone with a smartphone.

Indicators of compromise

Infected Android apps

b4489cb4fac743246f29abf7f605dd15
e8b60bf5af2d5cc5c501b87d04b8a6c2
aa5ce6fed4f9d888cbf8d6d8d0cda07f
3734e845657c37ee849618e2b4476bf4
fa0e99bac48bc60aa0ae82bc0fd1698d
e9f7d9bc988e7569f999f0028b359720
a44cbed18dc5d7fff11406cc403224b9
2dc565c067e60a1a9656b9a5765db11d