a cat with mobile screens behind one have apple another have android phone

Cybersecurity researchers have identified a sophisticated spyware campaign named SparkKitty, which has successfully infiltrated both Apple’s App Store and Google Play Store. This marks a significant escalation in mobile malware distribution through official channels, building on the previously discovered SparkCat campaign while expanding its reach across both major mobile platforms.

SparkKitty employs versatile attack vectors, spreading through official app stores, unofficial sources, and modified applications. Active since at least February 2024, the campaign aims to compromise mobile users globally, particularly in Southeast Asia and China, by targeting applications like Chinese gambling games, TikTok modifications, and adult-oriented apps.

a cat with mobile screens behind one have apple another have android phonea cat with mobile screens behind one have apple another have android phone

Technical Implementation and Objectives


On iOS devices, the malware delivers its payload through frameworks that mimic legitimate networking libraries, such as AFNetworking and Alamofire, while using obfuscated libraries disguised as system components. The Android variant operates through Java and Kotlin implementations, with some versions functioning as malicious Xposed modules.

The primary goal of SparkKitty is to steal photographs from infected devices, particularly images containing cryptocurrency wallet seed phrases. Unlike its predecessor, SparkCat, which used optical character recognition to target specific content, SparkKitty indiscriminately collects all accessible images from device galleries, suggesting a broader strategy to capture valuable financial information.

a cat with mobile screens behind one have apple another have android phonea cat with mobile screens behind one have apple another have android phone

Persistence Mechanisms


The technical sophistication of SparkKitty is evident in its implementation. On iOS, it leverages Objective-C’s automatic class loading mechanism to execute malicious code when applications launch. The malware verifies its environment by checking a specific key in the application’s Info.plist file before activating its payload.

Once verified, SparkKitty retrieves and decrypts a Base64-encoded configuration using AES-256 encryption, which contains command and control server addresses for exfiltration. The malware establishes communication with its C2 infrastructure to receive authorization codes before systematically accessing the device’s photo gallery and uploading stolen images.