A newly discovered mobile malware threat, dubbed “SparkKitty,” has infiltrated both iOS and Android ecosystems through official channels, including Apple’s App Store and Google Play.
This campaign, which shares technical links to the previously exposed SparkCat spyware, is primarily aimed at exfiltrating sensitive images particularly those containing seed phrases and credentials for cryptocurrency wallets.
It leverages malicious SDKs, frameworks disguised as legitimate libraries, and exploits Apple’s enterprise provisioning system to facilitate large-scale distribution and persistent infection.
Infection Chain
SparkKitty’s infection chain is multifaceted. On Android, both Java and Kotlin variants exist, with the latter utilizing malicious Xposed modules for code injection into trusted applications.
Distribution occurs via both official app marketplaces and third-party download sites that often promote modified versions of popular apps, like TikTok or crypto trading tools, embedding the malware directly into the app binary rather than relying on external SDKs.
On iOS, attackers use modified frameworks that masquerade as widely used networking libraries such as AFNetworking.framework and Alamofire.framework, or as obfuscated dynamic libraries like libswiftDarwin.dylib.
These malicious libraries are integrated within app bundles. Some variants rely on Apple enterprise provisioning profiles, enabling attackers to circumvent App Store security and mass-deploy malicious apps outside of the official review process.
Once installed, these profiles grant the app additional entitlements, often invisible to users, such as access to the device photo gallery an action highly unusual for legitimate apps like TikTok.
Upon execution, the infected app determines activation criteria by checking configuration values in the app’s Info.plist.
If matched, it decrypts and contacts a remote command-and-control (C2) infrastructure using AES-256 encryption.
The malware fetches further instructions and C2 endpoints, then requests permission from its C2 server before scraping and uploading images from the device.
Stealth mechanisms include only uploading newly added photos or selectively exfiltrating files based on content detected via on-device OCR, increasing the odds of capturing wallet backups and private keys. Device and app metadata also accompany every transmission for victim profiling.
The campaign has been active since at least February 2024, with evidence of cross-platform toolchains and a surge in crypto-themed malicious apps.
Notably, SparkKitty has repeatedly bypassed marketplace vetting, with some samples accumulating thousands of installs before takedown.
The malware’s infrastructure is highly adaptive, using multiple redundant cloud storage links (AWS S3, Alibaba OSS, etc.) for payload delivery and C2 configuration.
According to the Report, Analysis finds most victims are in Southeast Asia and China, with a focus on users drawn into crypto trading, gambling, or scam-related apps.
While SparkKitty is technically distinct from SparkCat, overlapping codebases, infrastructure, and operational artifacts strongly suggest a shared threat actor intent on monetizing stolen crypto credentials.
The attackers leverage aggressive tactics, including social engineering, fake online stores, social media ads, and progressive web apps (PWAs) to spread malware, maximizing reach across both sideloaded and official app channels.
Ongoing Response
Both Google and Apple have removed identified SparkKitty-infected apps from their stores following notification, but the campaign’s modular infrastructure means new variants can quickly emerge. Security experts advise users to:
- Avoid installing apps from unverified sources or those requesting unnecessary permissions (particularly photo gallery access).
- Treat requests for enterprise certificate profile installation with skepticism.
- Monitor devices for unusual battery or data usage, which may indicate background exfiltration activity.
- Employ reputable mobile security solutions capable of heuristic and behavioral detection.
Given SparkKitty’s capability to bypass mainstream app vetting and its clear targeting of financial assets, it constitutes a high-severity risk especially for users involved in cryptocurrency activities.
Indicators of Compromise (IOC)
| Type | Indicator/Description |
|---|---|
| Android hashes | b4489cb4fac743246f29abf7f605dd15, e8b60bf5af2d5cc5c501b87d04b8a6c2, … (see full list above) |
| iOS hashes | 21ef7a14fee3f64576f5780a637c57d1, 6d39cd8421591fbb0cc2a0bce4d0357d, … (see full list above) |
| Malicious iOS frameworks | 8c9a93e829cba8c4607a7265e6988646, b3085cd623b57fd6561e964d6fd73413, … |
| Obfuscated iOS libraries | 0b7891114d3b322ee863e4eef94d8523, 0d09c4f956bb734586cee85887ed5407, … |
| Infected download URLs | hxxps://lt.laoqianf14[.]top/KJnn, hxxps://lt.laoqianf15[.]top/KJnn, … |
| Trojan distribution domains | hxxps://accgngrid[.]com, hxxps://byteepic[.]vip |
| C2 IPs/Domains | 23.249.28[.]88, 120.79.8[.]107, api.fxsdk.com, … |
| Payload/config URLs | hxxp://120.78.239[.]17:10011/req.txt, hxxps://sdk-data-re.oss-accelerate.aliyuncs[.]com/…, … |
| Local file paths | /sdcard/aray/cache/devices/.DEVICES |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/sparkkitty-malware-infects-ios-and-android-devices/&media=https://i3.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNbn_qff-oKEDqq6NUTXDukSHziYDcLtEmSUxtVkkmp8mZhR-A8La9-d4ZRV7tQGaDpWC-U680R8WMYsgjGpKtG-9Mkdieebq24gjNBepXplnO_wXG2ZX-ja1lZEW8EYXXY6Nd_Agi_9oSHSZb4-KxUCh0ZPU_03mv26vlomGxx4rBW3Qblx1a_je7jqE/s16000/SparkKitty.webp?w=1200&resize=1200,0&ssl=1&description=A%20newly%20discovered%20mobile%20malware%20threat,%20dubbed%20"SparkKitty,"%20has%20infiltrated%20both%20iOS%20and%20Android%20ecosystems%20through%20official%20channels.){kind=link}