A new strain of mobile spyware, dubbed SparkKitty, has infiltrated Apple’s App Store and Google Play, posing as crypto-themed and modded apps to stealthily extract images of seed phrases and wallet credentials.
The malware appears to be a successor to SparkCat, a campaign first uncovered in early 2025, which used fake support chat modules to silently access user galleries and exfiltrate sensitive screenshots.
SparkKitty takes the same strategy several steps further, Kaspersky researchers said in a Monday post.
Unlike SparkCat, which mostly spreads through unofficial Android packages, SparkKitty has been confirmed inside multiple iOS and Android apps available through official stores, including a messaging app with crypto exchange features (with over 10,000 installs on Google Play) and an iOS app called “币coin,” disguised as a portfolio tracker.
At the core of the iOS variant is a weaponized version of the AFNetworking or Alamofire framework, where attackers embedded a custom class that auto-runs on app launch using Objective-C’s +load selector.
On startup, it checks a hidden configuration value, fetches a command-and-control (C2) address, and scans the user’s gallery and begins uploading images. A C2 address instructs the malware on what to do, such as when to steal data or send files, and receives the stolen information back.
The Android variant utilizes modified Java libraries to achieve the same goal. OCR is applied via Google ML Kit to parse images. If a seed phrase or private key is detected, the file is flagged and sent to the attacker’s servers.
Installation on iOS is done through enterprise provisioning profiles, or a method meant for internal enterprise apps but often exploited for malware.
Victims are tricked into manually trusting a developer certificate linked to “SINOPEC SABIC Tianjin Petrochemical Co. Ltd.,” giving SparkKitty system-level permissions.
Several C2 addresses used AES-256 encrypted configuration files hosted on obfuscated servers.
Once decrypted, they point to payload fetchers and endpoints, such as/api/putImages and /api/getImageStatus, where the app determines whether to upload or delay photo transmissions.
Kaspersky researchers discovered other versions of the malware utilizing a spoofed OpenSSL library (libcrypto.dylib) with obfuscated initialization logic, indicating an evolving toolset and multiple distribution vectors.
While most apps appear to be targeted at users in China and Southeast Asia, nothing about the malware limits its regional scope.
Apple and Google have taken down the apps in question following disclosure, but the campaign has likely been active since early 2024 and may still be ongoing through side loaded variants and clone stores, researchers warned.
