New Mobile Malware SparkKitty Threatens Both Android and iPhone Users
A new mobile malware strain, SparkKitty, has been identified by cybersecurity firm Kaspersky as targeting both Android and iPhone users. This malware scans private photos to steal cryptocurrency recovery phrases and other sensitive data, marking a significant evolution from a previous campaign known as SparkCat.
Researchers at Kaspersky recently identified SparkKitty, which appears to succeed the SparkCat campaign, a campaign first reported earlier this year that used optical character recognition (OCR) to extract sensitive data from images, including cryptocurrency recovery phrases. SparkKitty goes even further, uploading images from infected phones without discrimination, potentially exposing not just wallet data but also any personal or sensitive photos stored on the device. The main target seems to be crypto seed phrases, but criminals could use other images for extortion or malicious purposes.
Kaspersky researchers report that SparkKitty has operated since at least February 2024. Attackers distributed it through both official and unofficial channels, including Google Play and the Apple App Store. Kaspersky found SparkKitty embedded in several apps, including one called 币coin on iOS and another called SOEX on Android. Both apps are no longer available in their respective stores. SOEX, a messaging app with cryptocurrency-related features, reached more than 10,000 downloads from the Google Play Store before its removal.
On iOS, attackers deliver the malware through fake software frameworks or enterprise provisioning profiles, often disguised as legitimate components. Once installed, SparkKitty uses a method native to Apple’s Objective-C programming language to run as soon as the app launches. It checks the app’s internal configuration files to decide whether to execute, then quietly starts monitoring the user’s photo library. On Android, SparkKitty hides in apps written in Java or Kotlin and sometimes uses malicious Xposed or LSPosed modules. It activates when the app launches or after a specific screen opens. The malware then decrypts a configuration file from a remote server and begins uploading images, device metadata, and identifiers.
Unlike traditional spyware, SparkKitty focuses on photos, especially those containing cryptocurrency recovery phrases, wallet screenshots, IDs, or sensitive documents. Instead of just monitoring activity, SparkKitty uploads images in bulk. This approach makes it easy for criminals to sift through and extract valuable personal data. Kaspersky researchers emphasize that the malware’s ability to indiscriminately scan and upload images is a major threat, particularly for users with cryptocurrency holdings.
As a result of the discovery, both Apple and Google removed the identified apps after being alerted. However, questions remain about how SparkKitty bypassed their app review processes. As app stores grow in volume and complexity, the tools used to screen them will need to evolve at the same pace. Otherwise, incidents like this one will continue to slip through the cracks.
In response to the threat, cybersecurity experts recommend several best practices to protect users. These include sticking to trusted developers, reviewing app permissions, keeping devices updated, and using mobile security software. Experts at CyberGuy.com suggest that these measures can significantly reduce the risk of falling victim to malware like SparkKitty.