This malware campaign, which appears to be an evolution of the previous SparkCat operation, poses significant threats to users primarily in Southeast Asia and China by indiscriminately exfiltrating personal photos with a suspected focus on capturing cryptocurrency wallet seed phrases and other sensitive visual data. The malware has been discovered in apps related to cryptocurrency, gambling, and adult entertainment, including trojanized TikTok modifications, suggesting deliberate targeting of high-risk application verticals where users might be more likely to store sensitive visual information. The malware has been discovered embedded in applications available on Google Play Store and Apple’s App Store, including apps like 币coin (a cryptocurrency tracker) and SOEX (a messaging platform with cryptocurrency trading features). A sophisticated Trojan malware known as SparkKitty has been actively targeting iOS and Android devices since early 2024, infiltrating both official app stores and untrusted websites to steal images from users’ device galleries. Unlike its predecessor, SparkCat, which employed optical character recognition (OCR) technology to selectively target specific images, SparkKitty adopts a more aggressive approach by exfiltrating all accessible photos from device galleries. Users should exercise extreme caution when downloading applications, particularly those related to cryptocurrency or financial services, and avoid storing sensitive screenshots in device galleries. This technique allows the malware to circumvent traditional security measures and reach users who Apple’s curated app ecosystem might otherwise protect. This comprehensive data theft strategy significantly increases the likelihood of capturing sensitive information, including cryptocurrency wallet seed phrases, personal identification documents, and financial records. The emergence of SparkKitty represents a significant escalation in mobile malware sophistication, demonstrating how threat actors can successfully infiltrate trusted app distribution channels. On iOS devices, SparkKitty exploits enterprise provisioning profiles, which are designed for corporate app distribution but can be abused to sideload malicious applications outside Apple’s standard review process. SparkKitty has demonstrated remarkable sophistication in its distribution methods, successfully bypassing app store vetting processes to reach users through seemingly legitimate channels. The malware incorporates sophisticated verification checks to ensure execution only occurs in intended environments, examining the app’s Info.plist file for specific configuration keys before proceeding with its malicious activities. SparkKitty Android variants are developed using Java and Kotlin programming languages, with some versions leveraging malicious Xposed modules to inject code into trusted applications. The malware’s ability to bypass both Google Play and App Store security measures underscores the critical need for enhanced mobile security awareness and protective measures.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 09 Jul 2025 10:55:20 +0000