Kaspersky has identified a new spyware named SparkKitty, specifically designed to target smartphones operating on iOS and Android systems. This malware is capable of sending images and device information from compromised devices to the attacker’s server.
SparkKitty has been embedded in various applications, notably those related to cryptocurrency and gambling, as well as a counterfeit version of the TikTok app. These malicious apps have been distributed through multiple channels, including the Apple App Store, Google Play, and fraudulent websites.
Experts suggest that the primary objective of this campaign may be to steal cryptocurrencies from users, particularly in Southeast Asia and China, with users in Vietnam also facing considerable risks associated with such threats.
In response to the emergence of SparkKitty, Kaspersky has alerted both Google and Apple to take necessary actions against the affected applications. Some technical insights indicate a possible connection between this campaign and SparkCat, a previously identified Trojan. SparkCat is notable for being the first malware on the iOS platform to feature an optical character recognition (OCR) module, capable of scanning users’ photo libraries to extract screenshots that may contain crypto wallet passwords or recovery phrases. The discovery of SparkKitty marks the second instance this year of Kaspersky finding a trojan stealer on the App Store.
For iOS users, the Trojan is camouflaged as a cryptocurrency-related app named 币coin. Additionally, cybercriminals have propagated the malware through fraudulent websites designed to replicate the iPhone App Store interface, disguising it as both a TikTok app and various gambling games.
According to Sergey Puzan, a malware analyst at Kaspersky, “Fake websites are one of the most popular channels for distributing malware, where hackers attempt to deceive users into visiting and installing malicious software on their iPhones. While there are legitimate methods for installing apps outside the App Store on iOS, this attack leveraged a developer tool intended for business purposes to install internal applications.”
Similarly, Android users have also been targeted, with attackers utilizing both Google Play and third-party websites to disguise the malware as cryptocurrency-related services. One example is SOEX, a messaging app with built-in cryptocurrency trading features, which has garnered over 10,000 downloads from its official store.
In addition, experts discovered infected APK files (Android application packages) on third-party websites that are believed to be linked to this attack campaign. These applications have been marketed as cryptocurrency investment projects, and the associated websites have been actively promoted on social media platforms, including YouTube.
Dmitry Kalinin, a malware analyst at Kaspersky, explained, “Once installed, the apps operate as advertised. However, during the installation process, they silently infiltrate the device and automatically transmit images from the user’s gallery to the attacker. These images can potentially contain sensitive information, such as cryptocurrency wallet recovery scripts, which could enable attackers to steal the victim’s digital assets. There are indications that the attackers are specifically targeting users’ digital currencies, as many of the compromised apps are linked to cryptocurrencies.”
