Analysis Summary

SparkKitty is a highly sophisticated Trojan malware that has been actively targeting iOS and Android devices since early 2024. Believed to be the successor to the SparkCat operation, SparkKitty primarily exfiltrates images from users’ device galleries, with a strong focus on harvesting sensitive visual data like cryptocurrency wallet seed phrases and personal identification documents. What makes SparkKitty particularly dangerous is its infiltration through both official app stores and untrusted websites, successfully embedding itself in legitimate-looking applications such as "币coin" (a cryptocurrency tracker) and "SOEX" (a messaging and trading platform). The SOEX app alone had over 10,000 downloads before being removed, showing the malware’s ability to reach a wide user base through seemingly trusted channels.

On Android, SparkKitty is developed in Java and Kotlin and sometimes utilizes malicious Xposed modules to inject code into trusted apps. These Android variants request storage permissions upon launch or user interaction to access image data. In contrast, the iOS version exploits enterprise provisioning profiles typically used for corporate distribution — to sideload malicious apps, bypassing Apple's App Store review process. SparkKitty employs platform-specific execution strategies but maintains stealth across both operating systems. It activates automatically on iOS via Objective-C’s +[AFImageDownloader load] method and checks configuration keys in the app’s Info.plist file to ensure it's running in the right environment before executing its payload.

Unlike SparkCat, which selectively targeted images using OCR, SparkKitty takes a more aggressive and indiscriminate approach. It uploads all accessible images from the gallery, using cloud infrastructure such as AWS S3 and Alibaba OSS for both payload delivery and exfiltration. The malware also maintains a local database to track which images have been uploaded and monitors for new additions, allowing it to continuously steal content. All stolen data is sent to a command-and-control endpoint at ‘/api/putImages’, enhancing the attack’s persistence and effectiveness.

SparkKitty’s ability to bypass both Google and Apple’s security vetting highlights a major security gap in mobile ecosystems. The campaign’s scale, stealth, and targeting sophistication demand heightened user vigilance, especially when installing apps related to finance. Users should avoid storing sensitive screenshots in device galleries and stay informed about emerging mobile threats.

Impact

• Sensitive Data Theft
• Security Bypass
• Crypto Theft
• Gain Access

Indicators of Compromise

MD5

• b4489cb4fac743246f29abf7f605dd15

• 3734e845657c37ee849618e2b4476bf4

• fa0e99bac48bc60aa0ae82bc0fd1698d

• 5e15b25f07020a5314f0068b474fff3d

• d851b19b5b587f202795e10b72ced6e1

SHA-256

• 21879ce5a61e47e5c968004d4eebd24505e29056139cebc3fe1c5dd80c6f184f
• 381570757ecd56c99434ff799b90c2513227035c98d2b9602ae0bb8d210cac4c
• 1d2e41beb37e9502d1b81775a53a6e498842daed93fe19cdcd4cbd2a7228d12d
• 17b71715aba2d00c6791b6c72d275af4fc63d56870abe6035ba70eac03b2e810
• 7ffb912d9c120e97d3b052b576d15d4ccdb28e3b017cdd26695465fed4348d1e

SHA1

• ca064a024a4fa8b5b2f778b0d42f011de04262b9

• d52368452b9ea9886ebb2ce6bb6d75e99606ac65

• 12dbe8dc2e22c640dc005f07ed935b3d782c9fc1

• e18396ecf65969c23bc03911762bcca1553bbadf

• 7ba8582b0e00188414f6ad0b1fdb6d9d5d85cf18

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Avoid downloading apps from unofficial sources or third-party websites.
• Carefully review app permissions before installing especially apps requesting access to storage or gallery.
• Regularly audit and uninstall unused or suspicious applications, even if they were downloaded from official stores.
• Refrain from storing sensitive information (e.g., crypto wallet seed phrases, personal IDs) as images in your device gallery.
• Use reputable mobile antivirus or security solutions that can detect trojanized apps.
• Keep your mobile operating system and all apps updated with the latest security patches.
• For iOS users, disable the ability to trust enterprise provisioning profiles unless absolutely necessary.
• Monitor data usage to detect abnormal upload behavior that may signal exfiltration.
• Report suspicious apps to the respective app stores to aid in quicker takedown.