SparkKitty: a new Trojan spy on App Store and Google Play

Kaspersky researchers have discovered a new spyware Trojan called SparkKitty, which targets iOS and Android smartphones. The malware sends images and other information about the device to the attackers. The malware was embedded in apps related to cryptocurrencies and gambling, as well as in a modified version of the TikTok app, and was distributed on the App Store and Google Play, as well as on scam websites. Experts warn that the attackers' main target is to steal cryptocurrencies from users in Southeast Asia and China. 

Kaspersky has notified Google and Apple about the malicious apps. Certain technical characteristics suggest that this new malware campaign is related to the previously detected SparkCat Trojan (the first malware of its kind on iOS), which included a built-in character recognition (OCR) module, allowing it to scan images and screenshots containing crypto wallet access details or passwords. The SparkKitty case is the second time in a year that Kaspersky analysts have detected a trojan stealer in the App Store, following SparkCat.

iOS

In the App Store, the Trojan was presented as a cryptocurrency-related app — 币coin. On deceptive websites that mimicked Apple's official App Store, the malware was distributed in the form of TikTok and gambling apps.

"The attackers used fake websites as the main way to spread the Trojan with the aim of infecting iPhone devices. iOS allows apps to be installed outside the App Store. In this case, the attackers used special software tools for developers to distribute corporate business apps intended for internal use by companies. When entering the modified version of TikTok, the malware, in addition to stealing photos, embedded links in the user's profile that led to a suspicious online store. The fact that it only accepted payments in cryptocurrencies is a factor that heightens our suspicions," explains Sergey Puzan, malware analyst at Kaspersky.

Android

Cybercriminals promoted the malware both through independent websites and through Google Play, presenting it as a cryptocurrency exchange. For example, the SOEX app combined a crypto exchange function with communication capabilities and had more than 10,000 downloads.

Kaspersky experts also identified APK files of infected apps (which can be installed directly on Android smartphones bypassing official stores) on websites that appear to be related to this threat. These apps were presented as crypto investment projects and advertised on social networks, including YouTube.

"After installation, the apps worked as described, but at the same time, they stole photos from the device and sent them to the attackers. The goal may be to locate sensitive data belonging to the user, such as crypto wallet access credentials. There are indications that they are particularly interested in the victims' digital assets: many of the infected apps were related to crypto, while the modified TikTok app had a built-in store that only accepted payments in crypto," comments Dmitry Kalinin, malware analyst at Kaspersky.

To avoid falling victim to this malware, Kaspersky recommends:

• If you have installed any of the infected apps, delete it from your device and do not reuse it until an official update is available that eliminates its malicious functionality.
• Do not save screenshots containing sensitive information (such as login details) in your photo collection. Passwords should be stored in special apps.
• Use reliable protection software, which can prevent malware infections. On iOS, due to Apple's software restrictions, Kaspersky's solution warns the user in case of an attempt to transfer data to an attacker's server and prevents this transfer.
• If an app requests access to your photo library, consider whether it really needs it to function.