A notably elaborate spyware campaign dubbed SparkKitty has been infecting an increasing number of Android and iOS users. First detected last year as part of the previously identified SparkCat campaign, SparkKitty has since evolved into a widespread surveillance operation.
The SparkKitty malware has been distributed through apps on official and unofficial sources since at least February 2024, banking on users’ trust in the app stores (or nefarious unofficial locations) to steal private media. SparkKitty used a variety of technical techniques to infect devices—and it’s designed to adapt under the radar, making it difficult to spot and eradicate.
Although it doesn’t target cryptocurrency wallets directly, researchers believe it targets wallet recovery seed screenshots. The inclusion of crypto-only app stores in the Trojanized apps suggests financial motivation for the SparkKitty campaign. SparkCat’s goals were more straightforward, as it targeted cryptocurrency wallets in particular, but SparkKitty obfuscates its intentions alongside its expanding goals.
Researchers noted a few factors that tie the malware to cryptocurrency fraud and old SparkCat infrastructure. They also believe that the users who choose to save their seed phrase as an image are actually not safe, as these images are now actively being stalked by malware.
How SparkKitty works
The iOS variant is delivered in the form of a disguised library, acting like a popular iOS framework, like AFNetworking or Alamofire. Some iOS versions of SparkKitty go as far as to impersonate an obfuscated variant of Apple’s legitimate libraries, like libswiftDarwin.dylib, to avoid tripping signature-based detection.
The malware uses an Apple Enterprise provisioning profile instead of the standard iOS app installation methods and associated certificates. The victims aren’t even required to visit the App Store to install the malware-affected app, thanks to Apple Enterprise provisioning profiles.
SparkKitty was observed using Apple’s app installation tools meant for internal use by enterprises to circumvent App Store scrutiny. Enterprise provisioning is commonly abused by grey-market developers as well as malware authors. The abuse of such provisioning profiles on iOS shows just how convoluted and expanded the malware distribution ecosystem has become.
On iOS, an affected TikTok app asks for gallery access every time the user launches the app. The malicious iOS TikTok variant uploads all of the gallery images to attacker-controlled servers—and you can only imagine the possible loot that access allows.
SparkKitty, an iOS malware, uses the Objective-C +load hook to run its malicious code during the program start-up. If the user has granted permission on iOS, the malware observes the gallery folder for changes. Any new images that haven’t been uploaded previously are exfiltrated from the device. That’s determination.
Now, on Android, SparkKitty was discovered in both Java and Kotlin implementations, with the Kotlin version being an obfuscated Xposed module.
SparkKitty is triggered during app start-up or when users access certain screens, and the Android implementation also parses a base64-encoded AES-256 encrypted remote file to obtain the C2 server. It also uploads photos with their metadata and other identifying device information. Some of the Android implementations even bundle ML Kit OCR to only detect and upload image files containing text.
How SparkKitty was discovered
Fake download portals, third-party stores like TikToki Mall, and even Trojanized TikTok clones are all possible distribution points for these infections. Researchers first became aware of SparkKitty after investigating the links behind some infected TikTok clones found on the official App Store.
SOEX, an infected messaging app with exchange functionality, had been downloaded over 10,000 times from the Play Store. And malicious TikTok clones were found to have turned to fake cryptocurrency shops and adult content in order to bait users.
Apps related to SparkKitty on iOS also include gambling games in Chinese and TikTok mods. Some of these infected apps were able to gain tens of thousands of downloads before their Google Play deletion. The presence of official stores is a testament to the growing technical know-how and tenacity of mobile threat actors—and its execution is dogged and strikingly effective.
It’s just one of the latest mobile threats that should “spark” added emphasis on mobile device diligence.
Commentary
SparkKitty: A Silent Threat in ‘Trusted’ Apps
Table of Contents
A notably elaborate spyware campaign dubbed SparkKitty has been infecting an increasing number of Android and iOS users. First detected last year as part of the previously identified SparkCat campaign, SparkKitty has since evolved into a widespread surveillance operation.
The SparkKitty malware has been distributed through apps on official and unofficial sources since at least February 2024, banking on users’ trust in the app stores (or nefarious unofficial locations) to steal private media. SparkKitty used a variety of technical techniques to infect devices—and it’s designed to adapt under the radar, making it difficult to spot and eradicate.
Although it doesn’t target cryptocurrency wallets directly, researchers believe it targets wallet recovery seed screenshots. The inclusion of crypto-only app stores in the Trojanized apps suggests financial motivation for the SparkKitty campaign. SparkCat’s goals were more straightforward, as it targeted cryptocurrency wallets in particular, but SparkKitty obfuscates its intentions alongside its expanding goals.
Researchers noted a few factors that tie the malware to cryptocurrency fraud and old SparkCat infrastructure. They also believe that the users who choose to save their seed phrase as an image are actually not safe, as these images are now actively being stalked by malware.
How SparkKitty works
The iOS variant is delivered in the form of a disguised library, acting like a popular iOS framework, like AFNetworking or Alamofire. Some iOS versions of SparkKitty go as far as to impersonate an obfuscated variant of Apple’s legitimate libraries, like libswiftDarwin.dylib, to avoid tripping signature-based detection.
The malware uses an Apple Enterprise provisioning profile instead of the standard iOS app installation methods and associated certificates. The victims aren’t even required to visit the App Store to install the malware-affected app, thanks to Apple Enterprise provisioning profiles.
SparkKitty was observed using Apple’s app installation tools meant for internal use by enterprises to circumvent App Store scrutiny. Enterprise provisioning is commonly abused by grey-market developers as well as malware authors. The abuse of such provisioning profiles on iOS shows just how convoluted and expanded the malware distribution ecosystem has become.
On iOS, an affected TikTok app asks for gallery access every time the user launches the app. The malicious iOS TikTok variant uploads all of the gallery images to attacker-controlled servers—and you can only imagine the possible loot that access allows.
SparkKitty, an iOS malware, uses the Objective-C +load hook to run its malicious code during the program start-up. If the user has granted permission on iOS, the malware observes the gallery folder for changes. Any new images that haven’t been uploaded previously are exfiltrated from the device. That’s determination.
Now, on Android, SparkKitty was discovered in both Java and Kotlin implementations, with the Kotlin version being an obfuscated Xposed module.
SparkKitty is triggered during app start-up or when users access certain screens, and the Android implementation also parses a base64-encoded AES-256 encrypted remote file to obtain the C2 server. It also uploads photos with their metadata and other identifying device information. Some of the Android implementations even bundle ML Kit OCR to only detect and upload image files containing text.
How SparkKitty was discovered
Fake download portals, third-party stores like TikToki Mall, and even Trojanized TikTok clones are all possible distribution points for these infections. Researchers first became aware of SparkKitty after investigating the links behind some infected TikTok clones found on the official App Store.
SOEX, an infected messaging app with exchange functionality, had been downloaded over 10,000 times from the Play Store. And malicious TikTok clones were found to have turned to fake cryptocurrency shops and adult content in order to bait users.
Apps related to SparkKitty on iOS also include gambling games in Chinese and TikTok mods. Some of these infected apps were able to gain tens of thousands of downloads before their Google Play deletion. The presence of official stores is a testament to the growing technical know-how and tenacity of mobile threat actors—and its execution is dogged and strikingly effective.
It’s just one of the latest mobile threats that should “spark” added emphasis on mobile device diligence.
Protect your digital world
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Share this cybersecurity insight
Other cybersecurity insights
Cybersecurity Threat Roundup #22: Copybara, Crocodilus, Lucid, and more
WestJet Breach Shows Why Downtime Is a Business Killer
Darcula’s Digital Playbook: The Global Scam That’s Redefining Mobile Threats
Pocket Wars: Mobile Defenses Under Asymmetric Siege