![[The AI Show Episode 154]: AI Answers: The Future of AI Agents at Work, Building an AI Roadmap, Choosing the Right Tools, & Responsible AI Use](https://www.marketingaiinstitute.com/hubfs/ep%20154%20cover.png)
![How to Create Your Own AI Toolkit with Taylor Radey [MAICON 2025 Speaker Series]](https://www.marketingaiinstitute.com/hubfs/MAICON-Speaker_Series-Taylor.png)
![[The AI Show Episode 153]: OpenAI Releases o3-Pro, Disney Sues Midjourney, Altman: “Gentle Singularity” Is Here, AI and Jobs & News Sites Getting Crushed by AI Search](https://www.marketingaiinstitute.com/hubfs/ep%20153%20cover.png)
![[FREE EBOOKS] The Chief AI Officer’s Handbook, Natural Language Processing with Python & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![GrandChase tier list of the best characters available [June 2025]](https://media.pocketgamer.com/artwork/na-33057-1637756796/grandchase-ios-android-3rd-anniversary.jpg?#)
_Frank_Peters_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Watch a video & download Apple's presentation to get your parents to buy you a Mac [U]](https://photos5.appleinsider.com/gallery/64090-133432-The-Parent-Presentation-_-How-to-convince-your-parents-to-get-you-a-Mac-_-Apple-1-18-screenshot-xl.jpg)
![iPhone 17 Pro to Feature Vapor Chamber Cooling System Amid 'Critical' Heat Issue [Rumor]](https://www.iclarified.com/images/news/97676/97676/97676-640.jpg)
![Apple May Make Its Biggest Acquisition Yet to Fix AI Problem [Report]](https://www.iclarified.com/images/news/97677/97677/97677-640.jpg)
![Apple Weighs Acquisition of AI Startup Perplexity in Internal Talks [Report]](https://www.iclarified.com/images/news/97674/97674/97674-640.jpg)
![Oakley and Meta Launch Smart Glasses for Athletes With AI, 3K Camera, More [Video]](https://www.iclarified.com/images/news/97665/97665/97665-640.jpg)
SparkKitty Attacks iOS and Android Devices in Wild Via App Store and Google Play
Cybersecurity researchers have uncovered a sophisticated new spyware campaign called SparkKitty that has successfully infiltrated both Apple’s App Store and Google Play Store, marking a significant escalation in mobile malware distribution through official channels. This Trojan spy represents the latest evolution in cryptocurrency-focused attacks, building upon the previously discovered SparkCat campaign while expanding its reach […] The post SparkKitty Attacks iOS and Android Devices in Wild Via App Store and Google Play appeared first on Cyber Security News.
Cybersecurity researchers have uncovered a sophisticated new spyware campaign called SparkKitty that has successfully infiltrated both Apple’s App Store and Google Play Store, marking a significant escalation in mobile malware distribution through official channels.
Summary
1. SparkKitty is a recently uncovered malware that infects both iOS and Android devices through malicious apps in the App Store and Google Play.
2. Securelist analysts found that SparkKitty’s main goal is to steal all images from victims’ galleries, hoping to capture sensitive data like crypto wallet phrases.
3. The malware uses disguised frameworks and obfuscated code for infection and persistence, communicating with command servers to exfiltrate data.
4. The campaign has targeted users mainly in Southeast Asia and China since early 2024 and remains active, posing serious privacy and financial risks.This Trojan spy represents the latest evolution in cryptocurrency-focused attacks, building upon the previously discovered SparkCat campaign while expanding its reach across both major mobile platforms.
The malware demonstrates remarkable versatility in its attack vectors, spreading not only through official app stores but also via unofficial sources and modified applications.
.webp)
SparkKitty targets both iOS and Android devices simultaneously, employing platform-specific techniques to bypass security measures and establish persistent access to victim devices.
.webp)
The campaign has been active since at least February 2024, indicating a sustained and coordinated effort by threat actors to compromise mobile users globally.
Securelist researchers noted that SparkKitty employs multiple distribution methods to maximize its infection potential.
On iOS devices, the malicious payload is delivered through frameworks that mimic legitimate networking libraries such as AFNetworking.framework or Alamofire.framework, while also utilizing obfuscated libraries disguised as system components like libswiftDarwin.dylib.
.webp)
The Android variant operates through both Java and Kotlin implementations, with some versions functioning as malicious Xposed modules that hook into application entry points.
.webp)
The primary objective of SparkKitty appears to be the theft of photographs stored on infected devices, with particular focus on images containing cryptocurrency wallet seed phrases.
Unlike its predecessor SparkCat, which used optical character recognition to selectively target specific content, SparkKitty adopts a more comprehensive approach by indiscriminately stealing all accessible images from device galleries.
This broader collection strategy suggests the attackers are casting a wider net to capture potentially valuable financial information.
The campaign has demonstrated considerable geographic focus, primarily targeting users in Southeast Asia and China through applications specifically designed for these regions, including Chinese gambling games, TikTok modifications, and adult-oriented applications.
This regional targeting aligns with the cryptocurrency themes embedded within many of the infected applications, suggesting the threat actors possess intimate knowledge of their intended victim demographics.
Technical Implementation and Persistence Mechanisms
The technical sophistication of SparkKitty becomes apparent when examining its implementation details across both platforms.
On iOS devices, the malware leverages Objective-C’s automatic class loading mechanism through the special load selector, which executes automatically when applications launch.
The entry point for malicious activity occurs within the modified +[AFImageDownloader load] selector, a function that does not exist in legitimate AFNetworking implementations.
The malware implements a multi-stage verification process before activating its payload. It first checks whether the ccool key in the application’s Info.plist configuration file matches the specific string 77e1a4d360e17fdbc.
This serves as an initial authentication mechanism to prevent accidental execution in unintended environments.
Following successful verification, SparkKitty retrieves and decrypts a Base64-encoded configuration from the ccc key using AES-256 encryption in ECB mode with the hardcoded key p0^tWut=pswHL-x>>:m?^.^)W.
The decrypted configuration contains command and control server addresses that facilitate the exfiltration process.
Before beginning photo theft operations, the malware establishes communication with its C2 infrastructure through a GET request to the /api/getImageStatus endpoint, transmitting application details and user identification information.
The server responds with a JSON structure containing authorization codes that determine whether photo uploading should proceed.
Once authorized, SparkKitty systematically accesses the device’s photo gallery, maintains a local database of previously stolen images, and uploads new photographs to the /api/putImages endpoint using multipart form data transmission.
Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial
The post SparkKitty Attacks iOS and Android Devices in Wild Via App Store and Google Play appeared first on Cyber Security News.
