SparkKitty Malware Steals Photos from iOS and Android Devices

SparkKitty Malware Steals Photos from iOS and Android Devices

A sophisticated Trojan malware campaign has been targeting mobile device users across iOS and Android platforms since February 2024, with cybersecurity researchers identifying a significant escalation in photo theft capabilities that poses particular risks to cryptocurrency users and individuals storing sensitive information in their device galleries.

SparkKitty represents a concerning evolution in mobile malware distribution, successfully bypassing security measures on both Google Play and Apple’s App Store to reach unsuspecting users.

The malware has been primarily targeting users in Southeast Asia and China, though its technical architecture imposes no geographical limitations on its operational scope.

The malware campaign has demonstrated remarkable sophistication in its distribution methods, successfully infiltrating legitimate app stores through applications such as SOEX, a messaging platform with cryptocurrency trading features that accumulated over 10,000 downloads before removal from Google Play.

On iOS devices, the malware has been embedded within fraudulent frameworks that mimic legitimate libraries like AFNetworking, while also exploiting Apple’s enterprise provisioning profiles through applications like 币coin, a cryptocurrency tracking application.

Kaspersky researchers have identified this campaign as likely representing an evolution of the previously documented SparkCat malware family, indicating continued development and refinement of mobile-targeted attack vectors by cybercriminal organizations.

SparkKitty Malware

The technical implementation of SparkKitty varies significantly between platforms while maintaining consistent malicious objectives:

Android Platform Implementation:

  • Utilizes Java and Kotlin programming languages for core functionality.
  • Leverages malicious Xposed modules to inject code directly into trusted applications.
  • Initiates infection chain through seemingly legitimate applications requesting storage permissions.
  • Targets device photo galleries through standard Android permission model.

iOS Platform Implementation:

  • Exploits Objective-C’s automatic class loading mechanism for execution.
  • Triggers malware activation via +[AFImageDownloader load] selector upon application launch.
  • Incorporates verification checks ensuring target application’s Info.plist contains specific configuration keys.
  • Decrypts Base64-encoded configurations using AES-256 encryption in ECB mode.
  • Accesses device photo galleries and uploads captured images to command-and-control servers through designated API endpoints.
  • Maintains persistent monitoring of gallery changes to capture newly added photographs automatically.

Infrastructure and Resilience:

  • Utilizes cloud services including AWS S3 and Alibaba OSS for payload delivery.
  • Complicates takedown efforts through distributed infrastructure approach.
  • Ensures operational continuity across diverse geographical regions.

Comprehensive Photo Theft

SparkKitty addressed a significant escalation in threat capability compared to its predecessor, SparkCat, which utilized optical character recognition technology to selectively target specific images.

The current campaign indiscriminately exfiltrates all accessible photographs from device galleries, substantially increasing the probability of capturing sensitive information including cryptocurrency wallet seed phrases, identification documents, and financial records.

The malware maintains local databases to track uploaded images and prevent duplicate transmissions, while continuously monitoring gallery modifications to steal newly added content.

This comprehensive approach significantly amplifies the potential for sensitive data exposure, particularly affecting users who store screenshots of cryptocurrency wallet recovery phrases or other confidential information in their device galleries.

Security researchers emphasize the critical importance of avoiding storage of sensitive screenshots in device galleries and implementing heightened scrutiny when downloading mobile applications, even from officially sanctioned app stores, given SparkKitty’s demonstrated ability to bypass traditional vetting processes.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.


Source link