How secure are the applications millions of users download daily from trusted app stores? Recent findings reveal that even official platforms like the App Store and Google Play have been compromised by sophisticated spyware campaigns.
SparkKitty, a dangerous Trojan identified by Kaspersky researchers, has infiltrated popular applications across both iOS and Android platforms, particularly targeting cryptocurrency users and personal data. The malware has been uncovered within crypto apps, gambling applications, and even trojanized versions of TikTok distributed through official stores and fraudulent websites.
SparkKitty Trojan compromises legitimate apps on iOS and Android, targeting cryptocurrency users through official app stores and malicious websites.
Kaspersky researchers classify SparkKitty as one of only two Trojans detected on the App Store within the past year, highlighting the severity of this security breach. The threat represents a continuation of earlier SparkCat campaigns, indicating persistent, evolving dangers across mobile platforms.
SparkKitty employs multiple distribution methods, including official app stores, phishing sites mimicking legitimate platforms, and unauthorized download channels. iOS variants utilize malicious frameworks disguised as legitimate libraries such as AFNetworking.framework, while Android versions exploit Java and Kotlin programming languages. Zero-day exploits frequently enable these attacks by targeting previously unknown vulnerabilities in mobile applications.
Attackers take advantage of Apple’s Enterprise provisioning profiles to circumvent iOS security restrictions, embedding malware within seemingly harmless applications to avoid detection. The spyware targets various forms of sensitive information, with cryptocurrency wallet seed phrases representing primary objectives.
Advanced optical character recognition capabilities allow the malware to extract text from images and screenshots, placing users’ credentials and recovery phrases at significant risk. Beyond cryptocurrency theft, SparkKitty conducts broader espionage operations, collecting device information, hardware details, and exfiltrating photos from infected galleries.
Geographic analysis reveals concentrated targeting of users in Southeast Asia and China, with campaigns actively distributing globally since February 2024. The malware’s multilingual disguises amplify its effectiveness across diverse user populations, as sophisticated command-and-control infrastructure facilitates remote operator management. One particularly widespread example was the SOEX messenger app, which featured cryptocurrency exchange functions and was downloaded over 10,000 times from Google Play before detection.
Following Kaspersky’s identification and reporting, both Google and Apple removed malicious applications from their respective stores. Nonetheless, security experts stress ongoing risks, as similar malware continues bypassing existing protections. Kaspersky researchers also identified a crypto-only store within the weaponized TikTok app, further confirming the attackers’ focus on cryptocurrency-related theft.
The incidents expose critical vulnerabilities in app store security processes, prompting advisories urging vigilance even when downloading from traditionally trusted sources.
