A sophisticated mobile malware campaign known as SparkKitty has been actively compromising iOS and Android devices since early 2024, stealing images from device galleries to capture cryptocurrency wallet seed phrases and other sensitive information.
The malware has successfully infiltrated official app stores including Google Play and the App Store, targeting users primarily in Southeast Asia and China through apps related to cryptocurrency trading, gambling, and adult entertainment.
Unlike its predecessor SparkCat, SparkKitty indiscriminately exfiltrates all accessible photos rather than selectively targeting specific images, significantly expanding the scope of potential data theft.
SparkKitty demonstrates remarkable technical sophistication through its platform-specific execution methods while maintaining a consistent objective across both iOS and Android systems.
On iOS devices, the malware leverages Objective-C’s automatic class loading mechanism through the +[AFImageDownloader load] selector, which activates immediately upon app launch.
The malware incorporates multiple layers of verification, including checks for specific keys in the app’s Info.plist file to prevent execution in unintended environments.
Key technical features include:
- Platform-specific programming languages: iOS variants use Objective-C while Android versions employ Java and Kotlin.
- Automated activation: Triggers immediately upon app launch through system-level hooks.
- Advanced encryption: Uses AES-256 encryption in ECB mode to decrypt Base64-encoded configurations.
- Real-time monitoring: Continuously tracks gallery changes to capture new images instantly.
- Persistent storage: Maintains local databases to avoid re-uploading previously stolen images.
Once operational, SparkKitty decrypts its Base64-encoded configuration using AES-256 encryption in ECB mode before systematically accessing the device’s photo gallery.
The stolen images are then uploaded to command-and-control servers via the ‘/api/putImages’ endpoint, creating a comprehensive database of potentially sensitive visual information.
Android variants follow a similar pattern but are developed using Java and Kotlin programming languages, with some versions employing malicious Xposed modules to inject code directly into trusted applications.
The malware maintains detailed local databases to track previously uploaded images and continuously monitors gallery changes to capture new additions in real time.
This persistent monitoring capability ensures that even newly created screenshots containing sensitive information, such as cryptocurrency seed phrases or financial documents, are immediately compromised and transmitted to the attackers’ infrastructure.
Distribution Methods and App Store Infiltration
The distribution strategy employed by SparkKitty represents a significant escalation in mobile malware sophistication, successfully bypassing the security measures of major app distribution platforms.
On Google Play, the malware was embedded within legitimate-appearing applications such as SOEX, a messaging platform featuring cryptocurrency trading capabilities that accumulated over 10,000 downloads before its eventual removal.
The malware’s ability to remain undetected during the app store review process highlights critical vulnerabilities in current vetting procedures.
iOS distribution proves even more concerning, as SparkKitty exploits Apple’s enterprise provisioning profiles to enable sideloading of malicious applications outside the standard App Store review process.
This technique was notably observed in the 币 coin app, a cryptocurrency tracking application that appeared legitimate to users while harboring malicious functionality.
The malware is often embedded within fraudulent frameworks that mimic trusted libraries such as AFNetworking, making detection significantly more challenging for both automated systems and security researchers.
Infrastructure components include:
- Cloud storage services: Utilizes AWS S3 and Alibaba OSS for payload delivery
- Command-and-control servers: Maintains persistent communication channels for data exfiltration
- Redundant systems: Distributed architecture ensures continued operations despite takedown efforts
- Geographic distribution: Servers located across multiple regions for enhanced resilience
The campaign’s infrastructure demonstrates enterprise-level planning and resources, utilizing cloud services including Amazon Web Services S3 and Alibaba Object Storage Service for payload delivery and command-and-control operations.
This distributed approach enhances the malware’s resilience against takedown efforts and provides redundancy that ensures continued operations even when individual components are compromised.
Target Demographics and Security Implications
SparkKitty’s targeting strategy reveals a calculated focus on high-value demographics within specific geographic regions and application categories.
The malware primarily affects users in Southeast Asia and China, with a particular emphasis on individuals engaged with cryptocurrency trading, online gambling, and adult entertainment platforms.
This targeting approach maximizes the potential value of stolen information, as users of these services are more likely to store sensitive financial data, including cryptocurrency wallet seed phrases, on their mobile devices.
The evolution from SparkCat to SparkKitty represents a concerning trend toward more aggressive data collection methods.
While SparkCat employed optical character recognition to selectively target specific images, SparkKitty’s indiscriminate approach to photo theft significantly increases the volume and variety of sensitive information at risk.
This broad collection strategy ensures that virtually any sensitive visual information stored on compromised devices will be captured and transmitted to the attackers.
The emergence of SparkKitty underscores the evolving sophistication of mobile malware threats and the inadequacy of current app store security measures.
Users must exercise extreme caution when downloading applications, particularly those related to cryptocurrency or financial services, and should avoid storing sensitive information as screenshots in device galleries.
The malware’s successful infiltration of trusted platforms demonstrates that traditional security assumptions about official app stores may no longer be sufficient to protect users from advanced persistent threats.
Indicators of Compromise (IOCs):
| SHA-256 Hash |
|---|
| 21879ce5a61e47e5c968004d4eebd24505e29056139cebc3fe1c5dd80c6f184f |
| 381570757ecd56c99434ff799b90c2513227035c98d2b9602ae0bb8d210cac4c |
| 1d2e41beb37e9502d1b81775a53a6e498842daed93fe19cdcd4cbd2a7228d12d |
| 94297b685a5659647a3c021e82e2fd62e5ae607b242b8289669cfee8d5cc79e3 |
| 75a8d1ea41d9b4a9ac45f521f7c8422858bfc1c14d5ba85c16d08fbd1c61b96c |
| cf3ab3313a315a265fe5627e4b41b418ff7d62ad649f433b85198ff07f14907d |
| 7ffb912d9c120e97d3b052b576d15d4ccdb28e3b017cdd26695465fed4348d1e |
| 17b71715aba2d00c6791b6c72d275af4fc63d56870abe6035ba70eac03b2e810 |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
