A new stem of mobile spyware, called Sparkkitty, has infiltrated Apple’s App Store and Google Play, posing as cryptotema and modded apps for stealthily extract images of seed phrases and wallet information.
Malware seems to be a successor of Sparkcat, a campaign that was first uncovered in the beginning of 2025, which used false support chat modules to provide access to user galleries and exfiltrate -sensitive screens.
Sparkkitty takes the same strategy several steps further, Kaspersky researchers said in a Monday post.
Unlike Sparkcat, which mostly spreads through unofficial Android packages, Sparkkitty has been confirmed inside several iOS and Android apps available through official stores, including a messaging -app with Crypto Exchange features (with over 10,000 installations on Google Play) and a iOS app called Portfolio Tracker.
At the core of the iOS variant is a weapons selection of the deerworking or the alamofire frame, where attackers embedded a custom class that automatically ran on app launch using Object-C’s +load selector.
At startup, it checks a hidden configuration value, retrieves a command and control (C2) address and scans the user’s gallery and begins uploading images. A C2 address instructs malware about what to do, e.g. When should I steal data or send files and receive the stolen information back.
The Android variant uses changed Java libraries to achieve the same goal. OCR is applied via Google ML Kit to analyze images. If a seed seed or a private key is detected, the file is marked and sent to the striker’s servers.
Installation on iOS is performed through the company’s delivery profiles or a method designed for internal company apps, but is often utilized for malware.
Victims are fooled into manually trusting a developer certificate linked to “Sinopec Sabic Tianjin Petrochemical Co. Ltd.,” Sparkkitty system-level gives permissions.
Several C2 addresses used AES-256 encrypted configuration files that host on veiled servers.
Once decrypted, they point to the retrieval and final points, such as/API/Putimages and/API/Getimaging status, where the app decides whether the app should be uploaded or delay photo conversation.
Kaspersky researchers discovered other versions of malware using a spoofed Openssl -Library (Libcrypto.ylib) with veiled initialization logic, indicating a developing tool set and several distribution vectors.
While most apps appear to be targeted at users in China and Southeast Asia, nothing is limiting about malware its regional scope.
Apple and Google have taken the apps in question after passing, but the campaign has probably been active since the beginning of 2024 and can still continue through side -loaded variants and clon stores, scientists warned.
Read more: North Korean hackers are targeted at top cryptophy companies with malware hidden in job applications
