Ddos 
Profile installation flow | Image: Kaspersky
Kaspersky Labs has uncovered a stealthy evolution of mobile spyware connected to the infamous SparkCat campaign. Dubbed SparkKitty, this new malware variant is engineered to silently infiltrate Android and iOS devices, exfiltrating sensitive images—including cryptocurrency seed phrases—using advanced image recognition tools embedded in seemingly harmless apps.
“The threat actor distributed apps containing a malicious SDK/framework… that would wait for a user to open a specific screen (typically a support chat), then request access to the device’s gallery,” Kaspersky explained.
The campaign leverages Trojanized TikTok mods, shady crypto platforms, and even casino apps to propagate itself. One infected iOS app, disguised as a TikTok mod, used Apple’s Enterprise Provisioning Profiles to bypass App Store restrictions and trick users into installing malicious software:
“Visiting the website on an iPhone triggers a series of redirects… ultimately landing the user on a page that crudely mimics the App Store,” Kaspersky explains.
This fake TikTok app requested access to the user’s photo gallery on every launch—an oddity that tipped off researchers to dig deeper.
SparkKitty abuses AFNetworking.framework or Alamofire.framework, popular open-source libraries, by injecting a modified class—AFImageDownloaderTool. This class contains the malicious payload, activated automatically using the Objective-C +load method.
Once active, it executes a multistep attack:
- Decrypts payload from the app’s configuration using AES-256.
- Contacts C2 servers to obtain photo upload permission.
- Monitors the gallery and silently uploads new images.
- Sends images to C2 via PUT requests, along with app info, device metadata, and UUIDs.
“The malware exfiltrates any accessible photos that have not already been uploaded… and creates a local database to keep track,” the report notes.
SparkKitty includes an OCR module that scans images for seed phrases or other text strings linked to crypto wallets:
“Although SparkCat was capable of searching for any text within images, that campaign specifically targeted photos containing seed phrases.”
The campaign appears to target users in Southeast Asia and China, delivered via TikTok clones, crypto platforms, and even applications. Kaspersky’s investigation linked SparkKitty to a growing web of progressive web app (PWA) scams, social media ads, and Ponzi scheme sites.
Kaspersky notes technical overlaps between SparkKitty and SparkCat:
- Shared infected Android apps.
- Reused development file paths.
- Identical frameworks and payload delivery systems.
“We believe this malware is linked to the SparkCat campaign… file paths from the attackers’ systems match what we previously observed,” the report concludes.
Related Posts:
- SparkCat Malware: Sneaky Crypto Stealer Found in Google Play and App Store Apps
- Google Play Store Alert: New Phishing Apps Bypass Security, Stealing Crypto Wallet Seeds
- Stargazers Ghost Network: Minecraft Mods Used to Distribute Multi-Stage Stealers via GitHub
- Crypto Tax Scam Sweeps Europe: Fake Gov
- Malicious Packages Stealing Crypto Credentials: A Warning for Developers
Donate