A new mobile spyware strain, called Sparkkitty, has infiltrated the Apple and Google Play application store, which is passed through cryptographic and modified applications to extract images of seed phrases and wallet credentials.

Malware seems to be a successor of Sparkcat, a campaign discovered for the first time in early 2025, which used fake support chat modules to silently access user galleries and exfiltrate sensitive screenshots.

Sparkkitty takes the same strategy several steps further, Kaspersky’s researchers said in a Monday post.

Unlike Sparkcat, which extends mainly through unofficial Android packages, Sparkkitty has been confirmed within multiple iOS and Android applications available through official stores, including a messaging application with crypto exchange functions (with more than 10,000 facilities on Google Play) and an iOS application called “币 币 币 币of portfolio.

In the core of the iOS variant there is an armed version of the Afnetworking or Alamofire frame, where the attackers integrated a personalized class that automatically starts in the launch of the application using the selector of the Objective-C +load.

In the beginning, verify a hidden configuration value, get a command and control address (C2) and scan the user’s gallery and start loading images. A C2 address instructs the malware about what to do, such as stealing data or sending files, and receives stolen information.

The Android variant uses modified Java libraries to achieve the same goal. The OCR is applied through the Google ML kit to analyze the images. If a private phrase or key is detected, the file is marked and sent to the attacker’s servers.

IOS installation is carried out through business provisioning profiles, or a method for internal business applications, but often exploited for malware.

The victims are deceived to manually trust a developer certificate linked to “Sinopec Sabic Tianjin Petrachemical Co. Ltd.”, giving permissions at the Sparkkitty system level.

Several C2 addresses used AES-256 encrypted configuration files housed on obfuscated servers.

Once deciphered, they point to payload traffickers and the final points, such as/API/Putimages and/API/GETIMANGESTATUS, where the application determines whether to load or delay photo transmissions.

Kaspersky researchers discovered other versions of malware who use a falsified Opensl library (Libcrypto.dylib) with an obfuscated initialization logic, which indicates a set of multiple distribution tools and multiple distribution vectors.

While most applications seem to be aimed at users of China and Southeast Asia, nothing about malware limits its regional scope.

Apple and Google have eliminated the applications in question after the dissemination, but the campaign has probably been active since the beginning of 2024 and can still be ongoing through loaded variants and clones stores, the researchers warned.

Read more: North Korea computer pirates are aimed at the main cryptographic companies with hidden malware in employment applications

A new mobile spyware strain, called Sparkkitty, has infiltrated the Apple and Google Play application store, which is passed through cryptographic and modified applications to extract images of seed phrases and wallet credentials.

Malware seems to be a successor of Sparkcat, a campaign discovered for the first time in early 2025, which used fake support chat modules to silently access user galleries and exfiltrate sensitive screenshots.

Sparkkitty takes the same strategy several steps further, Kaspersky’s researchers said in a Monday post.

Unlike Sparkcat, which extends mainly through unofficial Android packages, Sparkkitty has been confirmed within multiple iOS and Android applications available through official stores, including a messaging application with crypto exchange functions (with more than 10,000 facilities on Google Play) and an iOS application called “币 币 币 币of portfolio.

In the core of the iOS variant there is an armed version of the Afnetworking or Alamofire frame, where the attackers integrated a personalized class that automatically starts in the launch of the application using the selector of the Objective-C +load.

In the beginning, verify a hidden configuration value, get a command and control address (C2) and scan the user’s gallery and start loading images. A C2 address instructs the malware about what to do, such as stealing data or sending files, and receives stolen information again.

The Android variant uses modified Java libraries to achieve the same goal. The OCR is applied through the Google ML kit to analyze the images. If a private phrase or key is detected, the file is marked and sent to the attacker’s servers.

IOS installation is carried out through business provisioning profiles, or a method for internal business applications, but often exploited for malware.

The victims are deceived to manually trust a developer certificate linked to “Sinopec Sabic Tianjin Petrachemical Co. Ltd.”, giving permissions at the Sparkkitty system level.

Several C2 addresses used AES-256 encrypted configuration files housed on obfuscated servers.

Once deciphered, they point to payload traffickers and the final points, such as/API/Putimages and/API/GETIMANGESTATUS, where the application determines whether to load or delay photo transmissions.

Kaspersky researchers discovered other versions of malware who use a falsified Opensl library (Libcrypto.dylib) with an obfuscated initialization logic, which indicates a set of multiple distribution tools and multiple distribution vectors.

While most applications seem to be aimed at users of China and Southeast Asia, nothing about malware limits its regional scope.

Apple and Google have eliminated the applications in question after the dissemination, but the campaign has probably been active since the beginning of 2024 and can still be ongoing through loaded variants and clones stores, the researchers warned.

Read more: North Korea computer pirates are aimed at the main cryptographic companies with hidden malware in employment applications