A newly discovered spyware named SparkKitty is making headlines in the cybersecurity world for its sophisticated and stealthy approach to mobile device infiltration. Detected by Kaspersky researchers, SparkKitty targets both Android and iOS devices and is primarily designed to steal photos, particularly screenshots that may contain sensitive information like cryptocurrency wallet recovery phrases.
SparkKitty’s infection method involves posing as legitimate apps, including fake TikTok clones, utility apps, and gambling tools. Some variants were even found on the official Google Play Store and Apple App Store. In one notable case, a malicious app named SOEX had more than 10,000 downloads before being taken down. On iOS, infected apps like “币 coin” were delivered using enterprise provisioning profiles or injected into existing apps to bypass Apple’s security restrictions.
Once installed, SparkKitty requests permission to access the device’s photo gallery under the pretense of enhancing app functionality. Behind the scenes, it silently uploads both existing and new photos to remote servers controlled by attackers. This allows them to scan for sensitive content like screenshots of crypto wallets, two-factor authentication codes, and documents containing personal information.
What makes SparkKitty especially dangerous is its cross-platform design and the fact that it operates silently in the background. On Android, it’s written in Java and Kotlin and sometimes disguised as Xposed or LSPosed modules. On iOS, its methods are more sophisticated, leveraging known workarounds for app distribution outside of the App Store.
Security researchers have traced SparkKitty activity as far back as early 2024, with the malware continuing to evolve. Experts urge users to avoid installing apps from unknown sources, even if they appear on legitimate app stores. Users should regularly review app permissions, especially for access to media files and device storage. It’s also highly recommended to use mobile antivirus or endpoint security solutions that detect such threats in real time.
From a broader perspective, SparkKitty represents a new wave of mobile-first cyberattacks focused on the growing number of users storing sensitive data on their smartphones. The spyware’s ability to harvest data discreetly from two of the world’s most popular mobile platforms is a significant concern for both individuals and enterprises. Organizations are advised to review their Mobile Device Management (MDM) policies and educate users on best practices for mobile security.
Sources
- Kaspersky Official Press Release
https://www.kaspersky.com/about/press-releases/kaspersky-has-discovered-sparkkitty-a-new-trojan-spy-on-app-store-and-google-play - Securelist (Kaspersky Threat Research Blog)
https://securelist.com/sparkkitty-ios-android-malware/116793 - Dark Reading Coverage on SparkKitty
https://www.darkreading.com/mobile-security/sparkkitty-swipes-pics-ios-android-devices - TechRadar Pro Report
https://www.techradar.com/pro/security/this-dangerous-new-malware-is-hitting-ios-and-android-phones-alike-and-its-even-stealing-photos-and-crypto - Tom’s Guide Security Update
https://www.tomsguide.com/computing/malware-adware/sparkkitty-spyware-caught-stealing-photos-on-iphone-and-android-and-the-reason-might-surprise-you
