A newly uncovered spyware campaign called SparkKitty has infiltrated both Apple’s App Store and Google Play successfully. This sophisticated new campaign marks a significant escalation in mobile malware being distributed through strictly official channels. The Trojan spy represents the latest evolution in the cryptocurrency-focused attacks previously seen in other similar campaigns. It specifically targets both iOS and Android devices simultaneously, employing a variety of platform-specific infection techniques. This sustained and coordinated campaign has been active since at least February 2024, indicating a very serious effort.
The primary objective of the SparkKitty malware appears to be the theft of all photographs from infected devices.
Attackers are hoping to capture extremely sensitive data like cryptocurrency wallet seed phrases from the stolen image files. Unlike its predecessor, SparkKitty indiscriminately steals all accessible images from the device galleries of its many victims. The campaign has demonstrated considerable geographic focus, primarily targeting users in both Southeast Asia and also in China. This malware spreads through applications designed for these regions, like Chinese gambling games and TikTok modifications.
The technical sophistication of SparkKitty becomes very apparent when examining its complex implementation details on iOS. On iOS devices, the malicious payload is delivered through frameworks that mimic legitimate networking software libraries. It also utilizes obfuscated libraries cleverly disguised as necessary system components like the file libswiftDarwin.dylib. The malware leverages Objective-C’s automatic class loading mechanism through the use of the special load selector.
This function executes automatically when applications launch, providing an entry point for the malicious activity to begin.
The malware implements a multi-stage verification process before it will ever activate its primary malicious payload. It first checks a specific key in the application’s configuration file to prevent any accidental unintended execution. Following verification, SparkKitty retrieves and decrypts an encoded configuration containing command and control server addresses. The malware establishes communication with its C2 infrastructure to receive authorization codes that permit photo uploading. Once authorized, it systematically accesses the device’s gallery and uploads any new photographs to the server.