A new strain of mobile spy software, nicknamed Sparkkitty, infiltrated the Apple and Google Play app store, posing as applications on the theme of crypto and mods to furtively extract images of seed phrases and portfolio references.
The malicious software seems to be a successor to Sparkcat, a campaign discovered for the first time at the beginning of 2025, which used false support chat modules to silently access access to user galleries and to exfiltrate sensitive screenshots.
Sparkkitty goes further the same strategy, Kaspersky’s researchers said in an article on Monday.
Contrairement à SparkCat, qui se propage principalement dans les packages Android non officiels, Sparkkitty a été confirmé dans plusieurs applications iOS et Android disponibles dans les magasins officiels, y compris une application de messagerie avec des fonctionnalités d’échange Crypto (avec plus de 10 000 installations sur Google Play) et une application iOS appelée «币 币 币 monnaie», déguisée en tant que portefeuille de portefeuille.
At the heart of the iOS variant is an armed version of the AFNETWORKING or ALAMOFIRE framework, where the attackers have integrated a personalized class which automatically runs on the launch of the application using the Objective-C +load selector.
At start -up, it checks a hidden configuration value, obtains a control and control address (C2) and analyzes the user gallery and begins to download images. A C2 address educates malware on what to do, for example when to steal data or send files, and receives stolen information.
The Android variant uses changed Java libraries to achieve the same goal. The OCR is applied via Google ML Kit to analyze the images. If a seed sentence or a private key is detected, the file is reported and sent to the attacker’s servers.
The installation on iOS is done via business supply profiles, or a method for internal company applications but often used for malware.
The victims are deceived by manually trusting a developer certificate linked to “Sinopec Sabic Tianjin Petrochemical Co. Ltd.”, giving authorizations to the level of the Sparkkitty system.
Several C2 addresses have used encrypted AES-256 configuration files hosted on obscured servers.
Once deciphered, they point to the elsewhere of payload and termination points, such as / API / FUTIMAGES and / API / GETIMAGESTATUS, where the application determines whether to download or delay photo transmissions.
Kaspersky researchers discovered other versions of malware using an OpenSSL usurped library (Libcrypto.Dylib) with an obscured initialization logic, indicating a set of evolution tools and several distribution vectors.
While most applications seem to be targeted on users in China and Southeast Asia, nothing on malware limits its regional scope.
Apple and Google have removed the applications in question after disclosure, but the campaign has probably been active since the beginning of 2024 and can still be underway thanks to variants and clones of lateral clones, have warned researchers.
Read more: North Korean pirates target the best crypto companies with malicious software hidden in employment applications
