While the internet’s obsession with cats has grown far beyond funny cat videos, it has spawned a new feline-themed cybersecurity threat named SparkKitty. This spyware campaign has been linked to malware on Android and iOS devices, signaling a new wave of sophisticated mobile security threats.
SparkKitty was first detected in early 2024, and cybersecurity analysts tied it to a previous operation known as SparkCat campaign. While SparkCat relied on optical character recognition (OCR) to extract cryptocurrency wallet data from screenshots, SparkKitty appears to focus on stealing photo gallery content from infected devices.
Fake TikTok apps and crypto trackers deliver the spyware
The SparkKitty Trojan was discovered lurking in apps pretending to be cryptocurrency trackers, gambling platforms, and modified versions of TikTok. On iOS, the spyware concealed itself by mimicking legitimate app components, making it harder to detect during installation.
In some cases, the malware was sent as part of the app itself. One infected app was still live when Securelist researchers found it, but it has since been taken down by Apple.
On Android, SparkKitty’s version was built in two programming languages and even used a tool normally meant to customize apps. Infected apps showed up not just in the Play Store, but also on shady websites tied to crypto scams and Ponzi schemes.
How SparkKitty steals your photos without you knowing
Once SparkKitty infects your phone, it checks to make sure it’s on the right type of device before doing anything suspicious. Then it reaches out to a remote server to ask for the go-ahead to start stealing photos.
If it gets approval, the malware scans your photo gallery for new images, gathers basic device info, and secretly sends everything to the attacker through encrypted connections.
To remain undetected, SparkKitty uses tricks like changing web addresses on the fly and hiding parts of its code. In at least one case, it even downloaded new instructions to figure out the best server to send stolen data.
From Southeast Asia to your phone: A spyware campaign goes global
Securelist also discovered another set of suspicious Android apps connected to SparkKitty; these apps used an OCR tool to scan photos for readable text, specifically, details about crypto wallets. Analysts believe both infiltration methods were used by the same hackers, citing similar code structures, tactics, and geographic targeting.
Most of the observed infections were concentrated in Southeast Asia and China; however, researchers stress that the malware has no technical limitations that would stop it from spreading globally. The Trojan is part of an alarming trend of hackers distributing spyware into official app stores.
Tip for mitigating this security risk
Cybersecurity experts advise users to steer clear of unknown crypto apps, particularly those not downloaded from trusted platforms. And while Apple and Google have pulled known infected apps from their stores, SparkKitty’s covert behavior underscores the need for greater user vigilance.
Read TechRepublic’s coverage of the latest cyber attack surge, where Check Point warns organizations of rising threats and new methods targeting global networks.
