A global spyware campaign, dubbed SparkKitty, has been targeting Android and iOS users since early 2024. The malicious code is spread through applications injected with frameworks/SDKs, primarily targeting users in Southeast Asia and China. The attackers aim to steal images from victims’ devices, potentially seeking cryptocurrency information.
The malware developers used a provisioning profile available through Apple’s Developer Program to deploy on iPhone devices, making the apps trusted by the device. They also utilized an Enterprise profile to push malicious apps to Android devices without publishing them to Google Play.
Kaspersky discovered that certain messaging apps with crypto exchange capabilities contained the malicious payload, and infected Android apps were distributed through unofficial sources. The firm found iOS counterparts of these apps within the App Store, showcasing the attackers’ ability to create convincing applications.
Additionally, Kaspersky uncovered various web pages distributing scam iOS apps in PWA format, similar to those offering the malicious TikTok apps. These pages also contained Android applications that request access to read device storage and use OCR to steal images containing a word with three letters or more.
The SparkKitty campaign is connected to another piece of spyware, SparkCat, which relied on OCR to steal from devices’ gallery images related to cryptocurrency wallets. The attackers used the same tactics across both clusters of malicious activity.
This global campaign highlights the evolving nature of cyber threats and the importance of vigilance in protecting personal data.
Source: https://www.securityweek.com/photo-stealing-spyware-sneaks-into-apple-app-store-google-play