Spyware Reloaded: SparkKitty Stalks Crypto Wallets via TikTok Mods and Fake Apps
Ddos 
Profile installation flow | Image: Kaspersky
Kaspersky Labs has uncovered a stealthy evolution of mobile spyware connected to the infamous SparkCat campaign. Dubbed SparkKitty, this new malware variant is engineered to silently infiltrate Android and iOS devices, exfiltrating sensitive imagesβincluding cryptocurrency seed phrasesβusing advanced image recognition tools embedded in seemingly harmless apps.
βThe threat actor distributed apps containing a malicious SDK/framework… that would wait for a user to open a specific screen (typically a support chat), then request access to the deviceβs gallery,β Kaspersky explained.
The campaign leverages Trojanized TikTok mods, shady crypto platforms, and even casino apps to propagate itself. One infected iOS app, disguised as a TikTok mod, used Apple’s Enterprise Provisioning Profiles to bypass App Store restrictions and trick users into installing malicious software:
βVisiting the website on an iPhone triggers a series of redirects… ultimately landing the user on a page that crudely mimics the App Store,β Kaspersky explains.
This fake TikTok app requested access to the user’s photo gallery on every launchβan oddity that tipped off researchers to dig deeper.
SparkKitty abuses AFNetworking.framework or Alamofire.framework, popular open-source libraries, by injecting a modified classβAFImageDownloaderTool. This class contains the malicious payload, activated automatically using the Objective-C +load method.
Once active, it executes a multistep attack:
- Decrypts payload from the appβs configuration using AES-256.
- Contacts C2 servers to obtain photo upload permission.
- Monitors the gallery and silently uploads new images.
- Sends images to C2 via PUT requests, along with app info, device metadata, and UUIDs.
βThe malware exfiltrates any accessible photos that have not already been uploaded… and creates a local database to keep track,β the report notes.
SparkKitty includes an OCR module that scans images for seed phrases or other text strings linked to crypto wallets:
βAlthough SparkCat was capable of searching for any text within images, that campaign specifically targeted photos containing seed phrases.β
The campaign appears to target users in Southeast Asia and China, delivered via TikTok clones, crypto platforms, and even applications. Kasperskyβs investigation linked SparkKitty to a growing web of progressive web app (PWA) scams, social media ads, and Ponzi scheme sites.
Kaspersky notes technical overlaps between SparkKitty and SparkCat:
- Shared infected Android apps.
- Reused development file paths.
- Identical frameworks and payload delivery systems.
βWe believe this malware is linked to the SparkCat campaign… file paths from the attackersβ systems match what we previously observed,β the report concludes.
Related Posts:
- SparkCat Malware: Sneaky Crypto Stealer Found in Google Play and App Store Apps
- Google Play Store Alert: New Phishing Apps Bypass Security, Stealing Crypto Wallet Seeds
- Stargazers Ghost Network: Minecraft Mods Used to Distribute Multi-Stage Stealers via GitHub
- Crypto Tax Scam Sweeps Europe: Fake Gov
- Malicious Packages Stealing Crypto Credentials: A Warning for Developers
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
