SparkKitty Targets iOS and Android Devices via App Store and Google Play Attacks

A sophisticated spyware campaign, dubbed SparkKitty, has emerged as a significant threat to both iOS and Android users, infiltrating even the official app stores like Google Play and the App Store.

First detected in connection with the earlier SparkCat campaign from January 2025, which targeted crypto wallet seed phrases, SparkKitty has since evolved into a broader espionage operation.

New Wave of Spyware Infiltrates Official App Stores

Active since at least February 2024, this malware has been found in apps distributed through unofficial sources as well as trusted platforms, exploiting user trust to steal sensitive data, primarily images from device galleries.

Despite being removed from Google Play and reported to Apple, the presence of such threats in official stores underscores the persistent challenge of securing mobile ecosystems against advanced malicious actors.

SparkKitty employs a range of technical strategies to compromise devices across platforms.

On iOS, the malware is embedded as malicious frameworks mimicking legitimate libraries like AFNetworking.framework or Alamofire.framework, or as obfuscated libraries disguised as libswiftDarwin.dylib.

According to the Report, these components often exploit Apple’s Enterprise provisioning profiles to bypass security restrictions, enabling unauthorized app installations.

On Android, the spyware appears in both Java and Kotlin variants, with the latter manifesting as a malicious Xposed module that hooks into app entry points.

Technical Sophistication

The malware typically requests access to the device’s gallery, exfiltrating all images or selectively using OCR technology to target specific content.

Distribution methods are equally deceptive, involving suspicious online stores like TikToki Mall, fake app download pages mimicking official stores, and even crypto-themed apps such as 币coin and SOEX.

These apps, some installed over 10,000 times on Google Play, often fetch encrypted configurations from remote servers to dynamically update command-and-control (C2) addresses, enhancing their stealth and adaptability.

The campaign, primarily targeting users in Southeast Asia and China, leverages culturally relevant apps like Chinese gambling games and TikTok mods to maximize reach, though its technical design poses a global threat.

Although SparkKitty does not explicitly target crypto assets like its predecessor SparkCat, the focus on images suggests an intent to capture sensitive data such as screenshots of wallet seed phrases.

Additional evidence, including crypto-only stores embedded in infected apps and the distribution network’s ties to cryptocurrency scams, reinforces this hypothesis.

The malware’s ability to infiltrate official app stores highlights a critical vulnerability in mobile security, as threat actors exploit developer tools and user trust to deploy espionage tools on a massive scale.

This ongoing campaign since early 2024 demonstrates a lack of complexity in concept but a high degree of persistence and adaptability, making it a formidable risk to personal data security.

Indicators of Compromise (IoC)