SparkKitty Malware Attacking iOS and Android Users to Steal Gallery Images
A sophisticated Trojan malware known as SparkKitty has been actively targeting iOS and Android devices since early 2024, infiltrating both official app stores and untrusted websites to steal images from users’ device galleries.
This malware campaign, which appears to be an evolution of the previous SparkCat operation, poses significant threats to users primarily in Southeast Asia and China by indiscriminately exfiltrating personal photos with a suspected focus on capturing cryptocurrency wallet seed phrases and other sensitive visual data.
SparkKitty has demonstrated remarkable sophistication in its distribution methods, successfully bypassing app store vetting processes to reach users through seemingly legitimate channels.
The malware has been discovered embedded in applications available on Google Play Store and Apple’s App Store, including apps like 币coin (a cryptocurrency tracker) and SOEX (a messaging platform with cryptocurrency trading features).
The SOEX app alone garnered over 10,000 downloads before its removal from Google Play, highlighting the malware’s ability to achieve widespread distribution through trusted platforms.
On iOS devices, SparkKitty exploits enterprise provisioning profiles, which are designed for corporate app distribution but can be abused to sideload malicious applications outside Apple’s standard review process.
This technique allows the malware to circumvent traditional security measures and reach users who Apple’s curated app ecosystem might otherwise protect.
Technical Capabilities and Execution
The malware demonstrates platform-specific execution strategies while maintaining consistent stealth capabilities across both operating systems.
SparkKitty Android variants are developed using Java and Kotlin programming languages, with some versions leveraging malicious Xposed modules to inject code into trusted applications.
These variants activate upon app launch or specific user interactions, subsequently requesting storage permissions to access device images.
For iOS devices, SparkKitty utilizes Objective-C’s automatic class loading mechanism through the +[AFImageDownloader load]
selector, which triggers immediately upon app launch.
The malware incorporates sophisticated verification checks to ensure execution only occurs in intended environments, examining the app’s Info.plist file for specific configuration keys before proceeding with its malicious activities.
Unlike its predecessor, SparkCat, which employed optical character recognition (OCR) technology to selectively target specific images, SparkKitty adopts a more aggressive approach by exfiltrating all accessible photos from device galleries.
This comprehensive data theft strategy significantly increases the likelihood of capturing sensitive information, including cryptocurrency wallet seed phrases, personal identification documents, and financial records.
The malware maintains a local database to track previously uploaded images and continuously monitors gallery changes to steal newly added content.
Once collected, images are uploaded to command-and-control servers via the ‘/api/putImages’ endpoint, utilizing cloud infrastructure including AWS S3 and Alibaba OSS for payload delivery and data exfiltration.
Geographic Targeting and User Impact
SparkKitty’s campaign appears strategically focused on users in Southeast Asia and China, aligning with applications specifically tailored for these regional audiences.
The malware has been discovered in apps related to cryptocurrency, gambling, and adult entertainment, including trojanized TikTok modifications, suggesting deliberate targeting of high-risk application verticals where users might be more likely to store sensitive visual information.
The emergence of SparkKitty represents a significant escalation in mobile malware sophistication, demonstrating how threat actors can successfully infiltrate trusted app distribution channels.
Users should exercise extreme caution when downloading applications, particularly those related to cryptocurrency or financial services, and avoid storing sensitive screenshots in device galleries.
The malware’s ability to bypass both Google Play and App Store security measures underscores the critical need for enhanced mobile security awareness and protective measures.
IoC’s
21879ce5a61e47e5c968004d4eebd24505e29056139cebc3fe1c5dd80c6f184f
381570757ecd56c99434ff799b90c2513227035c98d2b9602ae0bb8d210cac4c
1d2e41beb37e9502d1b81775a53a6e498842daed93fe19cdcd4cbd2a7228d12d
94297b685a5659647a3c021e82e2fd62e5ae607b242b8289669cfee8d5cc79e3
75a8d1ea41d9b4a9ac45f521f7c8422858bfc1c14d5ba85c16d08fbd1c61b96c
cf3ab3313a315a265fe5627e4b41b418ff7d62ad649f433b85198ff07f14907d
7ffb912d9c120e97d3b052b576d15d4ccdb28e3b017cdd26695465fed4348d1e
17b71715aba2d00c6791b6c72d275af4fc63d56870abe6035ba70eac03b2e810
Learn what managed security services really cost and how to avoid overpaying for limited protection => Download Guide
Source link