Security researchers have discovered a spyware campaign dubbed SparkKitty that’s targeting official Android and iOS app stores to deploy fake apps that steal images from the users’ devices, while also scanning them to extract crypto wallet details.
The campaign, discovered by security researchers at Kaspersky, has been active since at least February 2024 and primarily targets users in Southeast Asia and China. It also bears resemblance to another campaign discovered in January 2025 called SparkCat. Both campaigns revolved around distributing fake apps that request permission to the device’s gallery, and then scan images using an optical character recognition (OCR) model to find and extract images for interest.
As mentioned before, the malicious apps exist on both Google Play Store and Apple’s App Store as well as external, third-party app stores that let users sideload individual app packages. Kaspersky has discovered multiple cryptocurrency and casino apps that are designed to steal images and send them to a command-and-control server. The researchers also found a messaging app with crypto-related features that had more than 10,000 downloads on the Google Play Store.
Since Apple doesn’t allow sideloading apps, the hackers used an enterprise profile that allows organisations to push apps to iPhones without uploading them to the App Store. The threat actors also used a provisioning profile available via the Apple developer program to deploy certificates that trust the app once loaded.
Both Apple and Google have been alerted of the campaign and the latter has already started removing apps from its store. However, there are plenty of other fake websites and unofficial sources that are still distributing these malicious apps across the internet. The Android apps are also coded in both Java and Kotlin, ensuring maximum compatibility with as many devices as possible. The Kotlin version is also a malicious Xposed module.
In the News: US House of Representatives bans Meta-owned WhatsApp on official devices
