SparkKitty
SparkKitty is a mobile spyware/infostealer targeting both Android and iOS, assessed by researchers as likely linked to the SparkCat campaign. It has been active since at least February 2024 and is primarily associated with theft of cryptocurrency wallet recovery material, especially seed phrases or recovery codes saved as screenshots, although most observed variants indiscriminately exfiltrated accessible images from the victim’s gallery. Kaspersky detects it as HEUR:Trojan-Spy.AndroidOS.SparkKitty.* and HEUR:Trojan-Spy.IphoneOS.SparkKitty.*.
Distribution included unofficial app sources and official platforms including Google Play and the Apple App Store. Researchers observed delivery via malicious TikTok mods, scam and Ponzi-themed platforms, gambling and adult-themed apps, crypto-themed apps, and messaging apps with crypto exchange features. One infected Android messaging app reportedly had more than 10,000 installs on Google Play. An infected iOS app named 币coin was also identified in the App Store. The campaign appears focused primarily on users in Southeast Asia and China.
On iOS, SparkKitty was delivered through malicious frameworks masquerading as AFNetworking.framework or Alamofire.framework, obfuscated libraries such as libswiftDarwin.dylib and wc.dylib, or code embedded directly into apps. Researchers identified a malicious AFNetworking-themed module using +[AFImageDownloader load] as an entry point, checking an Info.plist key named ccool, decrypting configuration with AES-256 ECB, requesting photo library access, obtaining authorization from endpoints such as /api/getImageStatus or /api/getStatus, and exfiltrating photos and device metadata via endpoints including /api/putImages. Reported infrastructure included 23.249.28[.]88:7777 and i.bicoin[.]com[.]cn. In the 币coin iOS sample, KYDeviceActionManager implemented photo theft and upload logic.
On Android, SparkKitty existed in Java and Kotlin variants; the Kotlin variant functioned as a malicious Xposed/LSPosed module in some samples. The malware decrypted C2 addresses, contacted /api/anheartbeat to determine whether uploads were permitted, requested gallery access, and uploaded images and device information to endpoints such as /api/putDataInfo. Researchers also observed a device marker stored at /sdcard/aray/cache/devices/.DEVICES derived from an MD5 of the IMEI, MAC address, and a random UUID. Some related Android variants selected the fastest C2 server by measuring response times. Researchers also observed a likely related cluster in scam Android apps using Google ML Kit OCR to scan JPEG and PNG images for text before uploading matching images.
Researchers linked SparkKitty to SparkCat based on shared Android frameworks, overlapping infected apps, and matching iOS debug symbol paths. Some later FakeWallet phishing apps also contained SparkKitty modules, and researchers assessed possible overlap in operators or tooling based on shared modules, Chinese-language artifacts, similar fake App Store-style distribution methods, and a common focus on cryptocurrency theft. Apple and Google reportedly removed identified malicious apps after notification.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
2 techniques
Initial Access
The malware was distributed through unofficial sources as well as Google Play and App Store... In both the Android and iOS versions, the malicious payload was part of the app itself, not of a third-party SDK or framework. | The threat actor distributed apps containing a malicious SDK/framework... On iOS, the malicious payload is delivered as frameworks (primarily mimicking AFNetworking.framework or Alamofire.framework) or obfuscated libraries disguised as libswiftDarwin.dylib, or it can be embedded directly into the app itself.
Execution
1 technique
Execution
Later, we discovered other versions of this Trojan embedded in casino apps. These were loaded using the LSPosed framework, which is designed for app code hooking. Essentially, these Trojan versions acted as malicious Xposed modules. They would hook app entry points and execute code similar to the malware we described earlier.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
5 techniques
Stealth
obfuscated libraries disguised as libswiftDarwin.dylib... had initialization functions that were obfuscated with LLVM... The code uses custom names for classes, methods, and fields.
It retrieves the Base64-encoded value of the ccc key... decoded and then decrypted using AES-256 in ECB mode... The decrypted value is a list of URLs...
malicious payload is delivered as frameworks (primarily mimicking AFNetworking.framework or Alamofire.framework) or obfuscated libraries disguised as libswiftDarwin.dylib
Credential Access
2 techniques
Credential Access
Discovery
4 techniques
Discovery
the malware sends a GET request to the /api/getImageStatus endpoint, transmitting app details and the user’s UUID... the Trojan writes a hexadecimal number... an MD5 hash of a string containing the infected device’s IMEI, MAC address, and a random UUID.
On every launch, the app requested access to the user’s photo gallery... Next, the malware requests access to the user’s photo gallery.
Collection
3 techniques
Collection
The malware exfiltrates any accessible photos that have not already been uploaded... If the gallery is modified while the app is running, the malware will attempt to access and upload the new images to the C2 server.
Tapping these opened WebView, revealing an online store named TikToki Mall... For Android users, the link downloaded an APK file that opened the scam platform via WebView.
It would then use an OCR model to select and exfiltrate images of interest... ML Kit searched for text blocks and then broke them down into lines. If at least three lines containing a word with a minimum of three letters were found, the Trojan would send the image to the attackers’ server.
Command and Control
2 techniques
Command and Control
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
114 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
SparkKitty is mentioned by name in a related article title, suggesting malware affecting iOS and Android devices, but the main content provides no substantive details.
Android/iOS malware that steals images from the device gallery; likely used to harvest crypto-wallet recovery/seed codes stored as screenshots; assessed as linked to SparkCat.
Mobile infostealer delivered via malicious Android/iOS apps promoted through fake sites/ads; steals login credentials and crypto wallet data.
An iOS trojan referenced as using similar provisioning-profile-based installation methods. Some infected apps in this campaign also contained SparkKitty modules, suggesting a possible link between the operators, though the modules observed here were inactive.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.