231/68 Thursday, June 26, 2025
Cybersecurity firm Kaspersky has identified a new strain of spyware called SparkKitty, discovered hiding in applications on both the Apple App Store and Google Play Store. The spyware’s primary objective is to steal all images from a victim’s phone—specifically looking for pictures containing cryptocurrency-related information, such as wallet recovery phrases, by using OCR (Optical Character Recognition) to extract readable text from images. Active since early 2024, SparkKitty has mainly targeted users in Southeast Asia and China.
The hackers behind SparkKitty have embedded the spyware in fake versions of popular apps, including a counterfeit TikTok app named “TikToki Mall”, which features an online store accepting crypto payments and requires an invitation code for access. On iOS, the attackers use Enterprise Provisioning Profiles via Apple’s developer program to bypass App Store vetting. On Android, the malicious code was embedded in crypto-related and gambling apps—some of which exceeded 10,000 downloads before removal. The spyware uses modified open-source libraries like AFNetworking and Alamofire, disguised under names like libswiftDarwin.dylib to evade detection.
Kaspersky also linked SparkKitty to a previous spyware campaign known as SparkCat, first reported in January 2025. Like SparkKitty, SparkCat was distributed through both official app stores and less trustworthy sources, with a clear focus on stealing digital financial data. Both campaigns used similar lures, such as fake adult games or gambling apps, to trick users into installation.
Experts warn that even apps from official stores may carry risks. Users are advised to be especially cautious when granting permissions to access photos, and to thoroughly verify app sources before installing—especially when crypto-related data may be at stake.
Source https://hackread.com/sparkkitty-spyware-app-store-play-store-steals-photos-crypto/
