The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

SparkKitty Trojan Targets Mobile Users with Cross-Platform Espionage

Jul 8, 2025 12:50:14 PM / by The Hivemind

SparkKittyVerticals Targeted: Cryptocurrency, Gambling, Adult Entertainment
Regions Targeted: Southeast Asia, China
Related Families: SparkCat

Executive Summary

SparkKitty, a Trojan malware targeting iOS and Android devices, infiltrates official app stores and untrusted websites to steal images from device galleries, primarily aiming to capture cryptocurrency wallet seed phrases. Active since early 2024, it poses a significant threat to users in Southeast Asia and China.

Key Takeaways

  • SparkKitty is distributed via legitimate app stores and malicious websites, including apps like 币coin and SOEX.  
  • The malware steals all gallery images, unlike the selective SparkCat, increasing the risk of sensitive data exposure.  
  • SparkKitty utilizes Java, Kotlin, and Objective-C to execute platform-specific infection chains.  
  • SparkKitty bypasses app store vetting, exploiting enterprise provisioning profiles on iOS for distribution.  

What is SparkKitty?

Since at least February 2024, a sophisticated Trojan malware named SparkKitty has been compromising iOS and Android devices, infiltrating both official app stores and untrusted online sources. This malware, likely an evolution of the SparkCat campaign, indiscriminately exfiltrates images from device galleries, with a suspected focus on capturing cryptocurrency wallet seed phrases. Targeting users primarily in Southeast Asia and China, SparkKitty’s ability to bypass app store vetting processes underscores the growing challenge of securing mobile ecosystems. Kaspersky Secure List reported on SparkKitty.   

SparkKitty Android variants are written in Java and Kotlin, with some leveraging malicious Xposed modules to inject code into trusted applications. The infection chain often begins with apps like SOEX, a messaging platform with cryptocurrency trading features, which garnered over 10,000 downloads on Google Play before removal. On iOS, the malware is embedded in fraudulent frameworks mimicking legitimate libraries like AFNetworking, or delivered via enterprise provisioning profiles, as seen in the 币coin app, a cryptocurrency tracker. These profiles exploit Apple’s developer tools, enabling sideloading of malicious apps outside the App Store’s standard review process.  

SparkKitty’s execution is platform-specific but uniformly stealthy. On iOS, it leverages Objective-C’s automatic class loading through the `+[AFImageDownloader load]` selector, which triggers upon app launch. A verification check ensures the app’s Info.plist contains a specific key, preventing execution in unintended environments. Once validated, it decrypts a Base64-encoded configuration using AES-256 in ECB mode and accesses the photo gallery, uploading images to a command-and-control (C2) server via the ‘/api/putImages’ endpoint. Android variants, meanwhile, activate upon app launch or specific user actions, retrieving remote configurations and requesting storage permissions to access images.  

Unlike SparkCat, which used optical character recognition (OCR) to target specific images, SparkKitty exfiltrates all accessible photos, increasing the likelihood of capturing sensitive data like seed phrases, IDs, or financial documents. It maintains a local database to track uploaded images and monitors gallery changes to steal new additions. The campaign’s infrastructure, including AWS S3 and Alibaba OSS for payload delivery, enhances its resilience against takedowns.  

The malware’s presence in apps related to cryptocurrency, gambling, and adult entertainment, including trojanized TikTok mods, suggests a deliberate focus on apps in high-risk verticals. Its geographic targeting aligns with apps tailored for Southeast Asian and Chinese audiences, though its technical design imposes no regional limits. Users must avoid storing sensitive screenshots in galleries and scrutinize app sources, as SparkKitty’s infiltration of trusted platforms like Google Play and the App Store highlights the need for heightened vigilance when downloading mobile apps.  

IOCs

PolySwarm has multiple samples of SparkKitty.

 

21879ce5a61e47e5c968004d4eebd24505e29056139cebc3fe1c5dd80c6f184f

381570757ecd56c99434ff799b90c2513227035c98d2b9602ae0bb8d210cac4c

1d2e41beb37e9502d1b81775a53a6e498842daed93fe19cdcd4cbd2a7228d12d

94297b685a5659647a3c021e82e2fd62e5ae607b242b8289669cfee8d5cc79e3

75a8d1ea41d9b4a9ac45f521f7c8422858bfc1c14d5ba85c16d08fbd1c61b96c

cf3ab3313a315a265fe5627e4b41b418ff7d62ad649f433b85198ff07f14907d

7ffb912d9c120e97d3b052b576d15d4ccdb28e3b017cdd26695465fed4348d1e

17b71715aba2d00c6791b6c72d275af4fc63d56870abe6035ba70eac03b2e810

 

You can use the following CLI command to search for all SparkKitty samples in our portal:

$ polyswarm link list -f SparkKitty

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Android Malware, Cryptocurrency Theft, SparkKitty, iOS malware, App Store, Southeast Asia, SparkCat, Trojan malware, photo exfiltration

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More