Headline
SparkKitty Spyware on App Store and Play Store, Steals Photos for Crypto Data
Kaspersky uncovers SparkKitty, new spyware in Apple App Store & Google Play. Steals photos, targets crypto info, active since early 2024 via malicious apps.
Cybersecurity researchers at Kaspersky have reported a new spyware operation, dubbed SparkKitty, that has infected apps available on both the official Apple App Store and Google Play.
This spyware aims to steal all images from users’ mobile devices, with a suspected focus on finding cryptocurrency information. The campaign has been active since early 2024, mainly targeting users in Southeast Asia and China.
SparkKitty spyware infiltrates devices through applications that look harmless, often disguised as modified versions of popular apps like TikTok. In the case of the malicious TikTok versions, they even included a fake TikToki Mall online store within the app that accepted cryptocurrency for consumer goods, often requiring an invitation code for access.
Installation process on iPhone showing how the malicious TikTok app uses a configuration profile (Source: Kaspersky)
****Targeting iOS Devices****
According to Kaspersky’s report, for iOS devices, the attackers use a special Enterprise provisioning profile from Apple’s Developer Program. This allows them to install certificates on iPhones that make the malicious apps appear trustworthy, bypassing the usual App Store review process for direct distribution.
Furthermore, threat actors embedded their malicious code by modifying open-source networking libraries like AFNetworking.framework and Alamofire.framework, and also disguised it as libswiftDarwin.dylib.
****Targeting Android Devices****
On the Android side, Kaspersky found SparkKitty spyware hidden in various cryptocurrency and casino applications. One such app, a messaging tool with crypto features, was downloaded over 10,000 times from Google Play before being removed.
Another infected Android app spread outside official stores had a similar version that slipped into the App Store. Both directly included the malicious code within the app itself, not just as a separate component.
Once installed, SparkKitty spyware’s main goal is to access and steal all photos from a device’s gallery. While it broadly collects images, it appears linked to older spyware called SparkCat, which used Optical Character Recognition (OCR), a technology that reads text from images – to specifically find and steal details like cryptocurrency wallet recovery phrases from screenshots.
Some versions of SparkKitty also use OCR for this purpose, leveraging the Google ML Kit library for this function, particularly in apps distributed via shady web pages resembling scams and Ponzi schemes.
SparkKitty spyware apps on Google Play (left) and App Store (right)
****Connected Campaigns and Targets****
Kaspersky believes SparkKitty spyware is directly connected to the earlier SparkCat campaign, discovered in January 2025, sharing similar distribution methods through both official and unofficial app marketplaces. Both threats also seem focused on cryptocurrency theft. The attackers behind SparkKitty spyware specifically targeted users in Southeast Asia and China, often through modified gambling and adult games, as well as the fake TikTok apps.
While downloading apps from third-party stores is always risky, this discovery shows that even trusted sources like official app stores can no longer be considered fully reliable. Users in the affected regions, and indeed globally, should remain cautious about app permissions and consider the legitimacy of any app asking for unusual access, especially to photo galleries.