Veeam Patches Critical RCE Flaw in Backup and Replication Software
July 10, 2025DoNot APT Targets European Ministry with Stealthy Espionage Campaign – Active IOCs
July 11, 2025Veeam Patches Critical RCE Flaw in Backup and Replication Software
July 10, 2025DoNot APT Targets European Ministry with Stealthy Espionage Campaign – Active IOCs
July 11, 2025Severity
High
Analysis Summary
SparkKitty is a highly sophisticated Trojan malware that has been actively targeting iOS and Android devices since early 2024. Believed to be the successor to the SparkCat operation, SparkKitty primarily exfiltrates images from users’ device galleries, with a strong focus on harvesting sensitive visual data like cryptocurrency wallet seed phrases and personal identification documents. What makes SparkKitty particularly dangerous is its infiltration through both official app stores and untrusted websites, successfully embedding itself in legitimate-looking applications such as "币coin" (a cryptocurrency tracker) and "SOEX" (a messaging and trading platform). The SOEX app alone had over 10,000 downloads before being removed, showing the malware’s ability to reach a wide user base through seemingly trusted channels.
On Android, SparkKitty is developed in Java and Kotlin and sometimes utilizes malicious Xposed modules to inject code into trusted apps. These Android variants request storage permissions upon launch or user interaction to access image data. In contrast, the iOS version exploits enterprise provisioning profiles typically used for corporate distribution — to sideload malicious apps, bypassing Apple's App Store review process. SparkKitty employs platform-specific execution strategies but maintains stealth across both operating systems. It activates automatically on iOS via Objective-C’s +[AFImageDownloader load] method and checks configuration keys in the app’s Info.plist file to ensure it's running in the right environment before executing its payload.
Unlike SparkCat, which selectively targeted images using OCR, SparkKitty takes a more aggressive and indiscriminate approach. It uploads all accessible images from the gallery, using cloud infrastructure such as AWS S3 and Alibaba OSS for both payload delivery and exfiltration. The malware also maintains a local database to track which images have been uploaded and monitors for new additions, allowing it to continuously steal content. All stolen data is sent to a command-and-control endpoint at ‘/api/putImages’, enhancing the attack’s persistence and effectiveness.
SparkKitty’s ability to bypass both Google and Apple’s security vetting highlights a major security gap in mobile ecosystems. The campaign’s scale, stealth, and targeting sophistication demand heightened user vigilance, especially when installing apps related to finance. Users should avoid storing sensitive screenshots in device galleries and stay informed about emerging mobile threats.
Impact
- Sensitive Data Theft
- Security Bypass
- Crypto Theft
- Gain Access
Indicators of Compromise
MD5
b4489cb4fac743246f29abf7f605dd15
3734e845657c37ee849618e2b4476bf4
fa0e99bac48bc60aa0ae82bc0fd1698d
5e15b25f07020a5314f0068b474fff3d
d851b19b5b587f202795e10b72ced6e1
SHA-256
- 21879ce5a61e47e5c968004d4eebd24505e29056139cebc3fe1c5dd80c6f184f
- 381570757ecd56c99434ff799b90c2513227035c98d2b9602ae0bb8d210cac4c
- 1d2e41beb37e9502d1b81775a53a6e498842daed93fe19cdcd4cbd2a7228d12d
- 17b71715aba2d00c6791b6c72d275af4fc63d56870abe6035ba70eac03b2e810
- 7ffb912d9c120e97d3b052b576d15d4ccdb28e3b017cdd26695465fed4348d1e
SHA1
ca064a024a4fa8b5b2f778b0d42f011de04262b9
d52368452b9ea9886ebb2ce6bb6d75e99606ac65
12dbe8dc2e22c640dc005f07ed935b3d782c9fc1
e18396ecf65969c23bc03911762bcca1553bbadf
7ba8582b0e00188414f6ad0b1fdb6d9d5d85cf18
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Avoid downloading apps from unofficial sources or third-party websites.
- Carefully review app permissions before installing especially apps requesting access to storage or gallery.
- Regularly audit and uninstall unused or suspicious applications, even if they were downloaded from official stores.
- Refrain from storing sensitive information (e.g., crypto wallet seed phrases, personal IDs) as images in your device gallery.
- Use reputable mobile antivirus or security solutions that can detect trojanized apps.
- Keep your mobile operating system and all apps updated with the latest security patches.
- For iOS users, disable the ability to trust enterprise provisioning profiles unless absolutely necessary.
- Monitor data usage to detect abnormal upload behavior that may signal exfiltration.
- Report suspicious apps to the respective app stores to aid in quicker takedown.