SparkKitty Malware Attacking iOS and Android Device Users to Steal Photos From Gallery

A sophisticated Trojan malware known as SparkKitty has been actively targeting iOS and Android devices since early 2024, infiltrating both official app stores and untrusted websites to steal images from users’ device galleries.

The malware has been discovered embedded in applications available on Google Play Store and Apple’s App Store, including apps like 币coin (a cryptocurrency tracker) and SOEX (a messaging platform with cryptocurrency trading features).

The SOEX app alone garnered over 10,000 downloads before its removal from Google Play, highlighting the malware’s ability to achieve widespread distribution through trusted platforms. On iOS devices, SparkKitty exploits enterprise provisioning profiles, which are designed for corporate app distribution but can be abused to sideload malicious applications outside Apple’s standard review process.

This technique allows the malware to circumvent traditional security measures and reach users who Apple’s curated app ecosystem might otherwise protect.

Technical Capabilities and Execution
The malware demonstrates platform-specific execution strategies while maintaining consistent stealth capabilities across both operating systems. SparkKitty Android variants are developed using Java and Kotlin, with some versions leveraging malicious Xposed modules to inject code into trusted applications.

These variants activate upon app launch or specific user interactions, subsequently requesting storage permissions to access device images. For iOS, SparkKitty uses Objective-C’s automatic class loading through the +[AFImageDownloader load] selector, triggering malicious behavior at app launch.

SparkKitty performs environment checks using the app’s Info.plist file before proceeding. Unlike its predecessor SparkCat, which used OCR to identify images, SparkKitty exfiltrates all accessible photos, increasing the chance of capturing wallet seed phrases, ID documents, or financial records.

The malware maintains a local database to avoid re-uploading previously stolen files, and continuously monitors gallery updates. Collected images are sent to command-and-control servers using the /api/putImages endpoint, often hosted on AWS S3 or Alibaba OSS.

This campaign, believed to be an evolution of SparkCat, targets users in Southeast Asia and China. Apps trojanized include cryptocurrency tools, gambling apps, and adult entertainment platforms—indicating a strategy focused on data-rich, high-risk verticals.

Geographic Targeting and User Impact
SparkKitty's targets appear primarily located in Southeast Asia and China, where applications like modified TikTok clones are also used as carriers. This evolution in mobile malware sophistication shows that even official app stores can be compromised.

Users are advised to avoid storing sensitive screenshots in galleries and be cautious when downloading apps—especially those related to cryptocurrency or finance. SparkKitty’s ability to bypass security in both the Google Play and Apple App Store ecosystems stresses the need for improved mobile cybersecurity practices.