Kaspersky has uncovered a spyware campaign targeting Android and iOS users via official and unofficial app stores to steal images from their devices, potentially looking for cryptocurrency information.
Dubbed SparkKitty, the campaign has been ongoing since early 2024 through applications injected with frameworks/SDKs, primarily targeting users in Southeast Asia and China.
The malicious code, discovered in applications posing as TikTok mods for both Android and iOS, attempts to steal all of the victim’s images, but appears linked to a previous campaign that relied on optical character recognition (OCR) to extract cryptocurrency wallet information from screenshots.
To ensure the nefarious apps would run on iOS devices, the malware developers relied on a provisioning profile available through Apple’s Developer Program to deploy on victims’ iPhones certificates that would become trusted by the device.
The attackers used an Enterprise profile, which allows organizations to push apps to user devices without publishing them to Apple’s App Store, and a modified version of the AFNetworking open source library, which provides support for networking operations.
Looking for an Android counterpart, Kaspersky discovered multiple cryptocurrency and casino apps designed to steal images from the device’s gallery and send them, along with device information, to a command-and-control (C&C) server.
Digging deeper, the cybersecurity firm discovered that a messaging app with crypto exchange capabilities that had over 10,000 downloads in Google Play contained the malicious payload. The application has been removed from the official store.
Another infected Android app, distributed through unofficial sources, has an iOS counterpart that sneaked into the App Store. In both cases, the code was part of the application, and not of a third-party SDK.
Kaspersky also discovered various web pages distributing scam iOS apps in the PWA format, which resembled the pages offering the malicious TikTok apps, and which were related to various scams and Ponzi schemes.
Some of these PWA-containing pages also distributed Android applications that would request access to read the device storage, and then use OCR to steal images containing a word with a minimum of three letters.
According to Kaspersky, not only are these two clusters of malicious activity connected, but they also seem linked to SparkCat, a piece of spyware that relied on OCR to steal from a device’s gallery images containing information related to cryptocurrency wallets.
The same as SparkKitty, the SparkCat campaign relied on applications distributed through both official and unofficial application marketplaces.
Related: FreeType Zero-Day Found by Meta Exploited in Paragon Spyware Attacks
Related: Google Ships Android ‘Advanced Protection’ Mode to Thwart Surveillance Spyware
Related: North Korean Hackers Distributed Android Spyware via Google Play
Related: FireScam Android Malware Packs Infostealer, Spyware Capabilities
