Kaspersky researchers have found a new spy Trojan called SparkKitty that has been active since at least April 2024 on iOS and Android devices. It hides inside apps on Apple’s App Store, Google Play, and on scam websites.
Once installed, it sends photos and device data to attackers. Experts believe the goal is to steal cryptocurrency assets from people in Southeast Asia and China by scanning images for wallet keys and passwords.
Discovery and Background
The Spy Trojan was uncovered by Kaspersky security teams after they noticed unusual data traffic from testing phones.
They linked it to a string of apps claiming to offer crypto services and gambling tools. The campaign also included a fake TikTok app. Kaspersky warned both Apple and Google, and the malicious apps have now been removed.
Connection to Earlier Threats
Technical details suggest SparkKitty is tied to a previous iOS threat called SparkCat. SparkCat was the first Trojan on iPhones with an optical character recognition module.
That feature lets it scan gallery images for recovery phrases and passwords. SparkKitty builds on this work and broadens the scope to Android devices as well.
iOS Infection Method
On the App Store, SparkKitty posed as a crypto app under the name 币coin. It also spread through phishing pages that mimicked Apple’s official store.
Attackers used a corporate app distribution tool designed for enterprise testing to trick iPhone users into installing the infected TikTok.
Once the fake TikTok was opened, it stole photos from the gallery and even added links to a shady crypto store in the profile window. That store only takes cryptocurrency, raising more red flags.
Also Read: Lumma Malware Network Taken Down By Global Forces, Cutting Off Crypto Thefts
Android Infection Method
Android users faced infected apps both on Google Play and third-party sites. One such app, a messenger with a crypto exchange feature called SOEX, was downloaded over 10,000 times from the official store.
Kaspersky also found APK files on scam websites. These sites pitched the apps as investment tools. They ran ads on platforms like YouTube to lure users. After installation, the apps worked as promised while secretly sending photos and device details to the hackers.
Risk to Crypto Assets
Researchers warn that images from the phone gallery can hold key information. Screenshots often contain wallet recovery phrases or access codes.
By stealing these, attackers could drain accounts of their digital funds. The focus on crypto services and the embedded crypto-only store point to a clear goal: financial theft.
Response by Apple and Google
Kaspersky contacted both tech giants as soon as the threat was confirmed. Within days, Apple and Google removed the infected apps from their stores. Kaspersky continues to track new samples and update its antivirus definitions to catch SparkKitty variants.
Sergey Puzan, a malware analyst at Kaspersky, explained that iOS’s enterprise app tools can be abused to install harmful software outside the App Store.
Dmitry Kalinin, another expert, noted that the campaign’s emphasis on crypto hints at direct financial motives. He said users should be careful about apps offering investment services and only download from trusted sources.
Security teams expect more campaigns to follow once one proves profitable. The rise of mobile crypto apps creates an attractive target. Users should keep their phones updated, use official stores, and inspect app permissions carefully.