On the 18th, global cybersecurity leader Kaspersky announced the discovery of a new malware targeting Android and iOS smartphones called 'SparkKitty.'
This malware is characterized by sending photos and device information from infected smartphones to attackers. It has been embedded in cryptocurrency and gambling-related apps, as well as a trojanized TikTok app, and has been distributed through app stores, Google Play, and fraudulent websites. Kaspersky noted that the purpose of this attack is to steal cryptocurrency assets from residents of Southeast Asia and China.
This new malware campaign seems to be connected to previously discovered malware 'SparkCat' that bypassed Apple App Store security to capture screenshots. SparkCat is one of the first malware detected on iOS and has a built-in optical character recognition (OCR) module that scans image galleries and captures screenshots containing cryptocurrency wallet recovery phrases or passwords. Kaspersky analysts first discovered SparkCat, and within less than a year, found the trojan-type information theft malware SparkKitty in the app store.
In the app store, SparkKitty disguised itself as a cryptocurrency-related app ('币coin'). Additionally, on phishing pages mimicking the official iPhone app store, the malware was disguised as TikTok and gambling apps for distribution.
Sergei Pozhan, a Kaspersky malware analyst, said, "One of the trojan distribution vectors was a fake website aimed at infecting victims' iPhones," adding, "There are several legitimate pathways for installing programs outside of the app store on iOS." He further noted, "In this malicious campaign, attackers utilized specialized developer tools for enterprise app distribution, which is one of those pathways," and added, "In the infected TikTok version, in addition to stealing photos from the smartphone gallery when users log in, fake shopping mall links were inserted into users' profile windows. This shopping mall only accepts cryptocurrency payments, raising further suspicions."
Attackers also targeted users on third-party websites and Google Play. In particular, they showed a movement to distribute malware disguised as cryptocurrency services. For example, the messenger app 'SOEX,' which includes cryptocurrency trading features, has been downloaded over 10,000 times on official Google Play.
Kaspersky experts have also confirmed APK files of infected apps that seem to be related to this malware campaign, which can be directly installed on Android devices by bypassing official stores. Most of these APKs are packaged as cryptocurrency investment projects and were available for download on websites promoted through social media such as YouTube.
Dmitry Kalinin, a Kaspersky malware expert, remarked, "These apps appeared to function as described after installation. However, at the same time, photos were transmitted to attackers from the smartphone gallery," adding, "Cyber attackers could attempt to extract sensitive data such as cryptocurrency wallet recovery phrases from the images later." He continued, "There are also indirect indications that the attackers have an interest in digital assets," noting, "Most of the infected apps were related to cryptocurrency, and the trojanized TikTok app also featured a built-in shopping mall that only accepted cryptocurrency payments."
Lee Hyo-eun, head of Kaspersky's Korea branch, said, "The discovery of SparkKitty serves as a reminder of the sophisticated tactics used by cybercriminals as the cybersecurity threat landscape is rapidly evolving globally, including in Korea," and added, "This new trojan spy targets both iOS and Android smartphones, requiring users to be particularly cautious when using popular platforms like cryptocurrency, gambling apps, and TikTok."