{"id":24204,"date":"2025-06-23T12:18:39","date_gmt":"2025-06-23T08:18:39","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=24204"},"modified":"2025-06-23T12:18:39","modified_gmt":"2025-06-23T08:18:39","slug":"ios-android-stealer-sparkkitty","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ios-android-stealer-sparkkitty\/24204\/","title":{"rendered":"Your cat pics are at risk: the threat posed by the new SparkKitty Trojan"},"content":{"rendered":"

Your snapshots are, quite literally, the keys to your private life. Your gallery holds your future plans, financial secrets, cat pictures, and sometimes even things you\u2019d never share with anyone. But how often do you truly think about protecting those images? We hope that ever since you heard about the SparkCat cross-platform stealer<\/a>, you\u2019ve been pondering it more often than usual.<\/p>\n

Now we\u2019ve discovered that Trojan\u2019s little sibling, which we\u2019ve affectionately named SparkKitty. But don\u2019t let the cute name fool you \u2014 behind it lies a spy that, like its older brother, aims to steal photos from its victims\u2019 smartphones. What makes this threat unique, and why should both Android and iPhone users prick up their ears?<\/p>\n

How SparkKitty makes its way onto devices<\/h2>\n

The stealer spreads in two ways: (i) in the wild \u2014 that is, across the untamed parts of the internet; and (ii) through official app stores like the App Store and Google Play. Let\u2019s break this down.<\/p>\n

Official app stores<\/h3>\n

In Apple\u2019s App Store, the malware was lurking inside the \u5e01<\/strong>coin<\/strong> app \u2014 designed for tracking cryptocurrency rates and trading signals. We\u2019re not sure exactly how this suspicious spy activity ended up in the app. It\u2019s possible there was a supply-chain compromise<\/a>, and the developers themselves weren\u2019t aware of SparkKitty until we notified them. But there\u2019s also a second possibility: the developers deliberately embedded the stealer into the app. Regardless, this is the second time we\u2019ve seen a Trojan sneak into the App Store, and we\u2019ve alerted Apple about it. SparkCat<\/a> was the first instance.<\/p>\n

\"Infected<\/a>

Infected application in the App Store<\/p><\/div>\n

It\u2019s a different story with Google Play: malicious apps pop up on a regular basis, and we frequently cover these threats<\/a> on Kaspersky Daily. This time, we detected malicious activity in a messaging app that includes crypto-exchange features. This is a popular app that\u2019s been installed more than 10\u00a0000 times, and was still available in the store at the time of the study. We\u2019ve contacted Google to warn them about the threat.<\/p>\n

Suspicious links in the wild<\/h3>\n

That said, the attackers have been much more creative this time in spreading the malware out in the wild. Once, during a routine review of suspicious links (we click them so you don\u2019t have to!) our experts uncovered several similar pages distributing a TikTok mod for Android. One of the main things this mod did was call additional code. \u201cThat looks suspicious\u201d, we thought. And we were right. The code contained links displayed as buttons within the app, all directing users to an online store called TikToki Mall, which sold a variety of items. Unfortunately, we couldn\u2019t determine if the store was legitimate or just a big trap \u2014 but one interesting fact stood out: TikToki Mall accepts cryptocurrency payments, and you need an invitation code to sign up and pay for any item. We didn\u2019t find any further suspicious activity at this stage, and no traces of SparkKitty or other malware.<\/p>\n

So we decided to take a different approach and see what happened when we tapped these same suspicious links from an iPhone. This led us to a page that vaguely resembled the App Store, which immediately prompted us to download the \u201cTikTok app\u201d.<\/p>\n

iOS doesn\u2019t allow users to download and run applications from third-party sources. However, Apple provides so-called provisioning profiles to every member of the Apple Developer Program. These allow installing custom applications not available in the App Store on user devices, such as beta versions or apps developed for internal corporate use. Attackers exploit these profiles to distribute apps that contain malware.<\/em><\/p><\/blockquote>\n

The installation process differed slightly from the usual procedure. Typically, in the App Store, you only need to tap Install<\/strong> once, but in this case, installing the fake TikTok required additional steps: downloading and installing a developer provisioning profile.<\/p>\n

\"Installing<\/a>

Installing an app from an unknown source on an iPhone<\/p><\/div>\n

Naturally, this version of TikTok didn\u2019t have any funny videos; it was just another store, similar to the Android version. While seemingly harmless, the iOS version requested access to the user\u2019s gallery every time it launched \u2014 and that was the catch. This led us to discover a malicious module that sent images from the infected phone\u2019s gallery, along with device information, to the attackers. We also found its traces in other Android applications. For the technical details of the story, check out our full report on Securelist<\/a>.<\/p>\n

Who\u2019s at risk?<\/h2>\n

Our data shows that this campaign primarily targets users in Southeast Asia and China. That doesn\u2019t mean, however, that other countries are beyond the reach of SparkKitty\u2019s claws. The malware has been spreading since at least early 2024, and over the past year and a half attackers have likely considered upscaling their operation to other countries and continents. There\u2019s nothing stopping them. What\u2019s more, it\u2019s not just the TikTok mod you should worry about; we\u2019ve also found malicious activity inside various gambling and adult games, and even crypto-related apps.<\/p>\n

If you think these attackers are just interested in admiring your vacation photos, think again. SparkKitty uploads each and every one of your snapshots to its command-and-control server. Those images could easily include screenshots of sensitive information like crypto wallet seed phrases, allowing these bad actors to steal your cryptocurrency.<\/p>\n

How to protect yourself from SparkKitty<\/h2>\n

This Trojan spreads in many ways, and protecting yourself from every single one is a tough challenge. While the golden rule of \u201cdownload apps from official sources only\u201d still applies, we\u2019ve found traces of this stealer in both Google Play and the App Store \u2014 places where apps are supposedly vetted and 100% safe. So what can you do about that?<\/p>\n

We recommend focusing on securing your smartphone\u2019s gallery. Naturally, the most foolproof method would be to never take photos or screenshots of sensitive information, but that\u2019s virtually impossible nowadays. There\u2019s a solution: store valuable photos in a secure vault<\/a>. With Kaspersky Password Manager<\/a>, you can only view and send protected, important photos after entering the main password, which only you know<\/a>. Note that the protected content is not confined to just one device. The password manager can sync information between smartphones and computers. This includes bank-card data, two-factor authentication tokens, and anything else you choose to store in Kaspersky Password Manager<\/a>\u00a0\u2013 including your photos.<\/p>\n

It\u2019s also crucial to check your smartphone right now for any of the infected apps we\u2019ve discovered; the extended list is available on Securelist<\/a>. For Android, Kaspersky for Android<\/a> can help with this \u2014 it\u2019ll find and remove malware for you. On iPhone, due to the closed architecture of iOS, our security solution<\/a>\u00a0can\u2019t scan for and delete previously installed infected apps, but it will prevent any attempts to send data to the attackers\u2019 servers and warn you about them.<\/p>\n

And if you opt for a Kaspersky Premium<\/a>\u00a0or Kaspersky Plus<\/a>\u00a0subscription, you get Kaspersky Password Manager<\/a>\u00a0along with your security solution.<\/p>\n

Follow our Telegram channel<\/a>\u00a0to stay up to date on the latest cyberthreats, and make sure you\u2019re storing your photos safely.<\/p>\n

Learn about other malware you need to watch out for to keep your smartphone safe:<\/p>\n