Attention of Bitcoin, Ether, Solana, XRP Wallet Wallet users. This Trojan is trying to make this
A new mobile spyware strain, called sparkkitty, has been infiltrated Apple and Google Play’s app store, which comes as themed and modded apps to be stealthily to pick up images of seed phrases and purse credentials.
Malware appears to be an alternative to Sparkcat, a campaign that first has no cover in early 2025, using fake chat support modules to silently access user galleries and to exfile sensitive screenshots.
Sparkkitty takes the same approach as many steps yet, Kaspersky researchers said in a post on Monday.
Unlike Sparkcat, which is usually spread through unofficial Android packages, Sparkkitty is confirmed within multiple iOS and Android apps available through official stores, along with a messaging app with crypto exchange features (with more than 10,000 Google Play installations) and an iOS app called “币 coin,” disguised as a portfolio called “币 coin,” disguised tracker.
At the core of the iOS variant is a weapon version of the Afnetworking plot or AlamOFire, where attacks have embedded a custom auto-run class launching the app using the Objective-C’s +Load Selector.
At the beginning, it evaluates a hidden adjustment amount, captures a command-and-control (C2) address, and evaluates the user’s gallery and begins to upload images. A C2 address teaches malware on what to do, such as when to steal data or send files, and receive stolen information.
The Android variant uses Java’s revised libraries to achieve the same goal. OCR is applied via Google ML kit to parse images. If a seed phrase or private key is detected, the file is to be —flag and sent to the attacks of the attack.
Installation on iOS is done through business providing profiles, or a procedure intended for internal business apps but are often exploited for malware.
The victims have been tricked into manual trusting a developer certificate linked to “Sinopec Sabic Tianjin Petrochemical Co. Ltd.,” which provides sparkkitty level permissions.
Many C2 addresses used AES-256 encrypted configuration files hosted on obfuscated servers.
When already -Decrypted, they point out payload fetchers and endpoints, such as/API/Putimages and/API/GetimageStatus, which the app determines whether photo shipping or delaying.
Kaspersky researchers have found other versions of malware using a spoofed openl library (libcrypto.dylib) with obfuscated initialization logic, indicating an emerging toolet and many distribution vectors.
While most apps appear to have targeted users in China and Southeast Asia, there is nothing about malware that limits region’s scope.
Apple and Google have dropped the apps in question following the disclosure, but the campaign has been likely to be active since early 2024 and may still be ongoing through loaded and clone stores, researchers warned.
