{"id":77954,"date":"2025-06-25T09:59:56","date_gmt":"2025-06-25T06:59:56","guid":{"rendered":"https:\/\/gulftech-news.com\/en\/?p=77954"},"modified":"2025-06-25T09:59:57","modified_gmt":"2025-06-25T06:59:57","slug":"kaspersky-has-discovered-sparkkitty-a-new-trojan-spy-on-app-store-and-google-play","status":"publish","type":"post","link":"https:\/\/gulftech-news.com\/en\/2025\/06\/25\/kaspersky-has-discovered-sparkkitty-a-new-trojan-spy-on-app-store-and-google-play\/","title":{"rendered":"Kaspersky has discovered SparkKitty: a new Trojan spy on App Store and Google Play"},"content":{"rendered":"\n

Kaspersky <\/a><\/strong>researchers have discovered a new Trojan spy called SparkKitty which targets smartphones on iOS and Android. It sends images from an infected phone and information about the device to the attackers. This malware was embedded in apps related to crypto and gambling, as well as in a trojanized TikTok app, and was distributed on App Store and Google Play, as well as on scam websites. <\/p>\n\n\n\n

Experts suggest that the goal of the attackers is to steal cryptocurrency assets from residents of Southeast Asia and China. Users in KSA are also potentially at risk of facing a similar cyber threat.<\/p>\n\n\n\n

Kaspersky has notified Google and Apple about the malicious apps. Certain technical details suggest that the new malware campaign is linked to the previously discovered SparkCat<\/a> Trojan \u2014 malware (the first of its kind on iOS) with a built-in optical character recognition (OCR) module that allows it to scan image galleries and steal screenshots containing cryptocurrency wallet recovery phrases or passwords. <\/p>\n\n\n\n

The SparkKitty case is the second time in a year that Kaspersky researchers have found a Trojan stealer on App Store, following SparkCat.<\/p>\n\n\n\n

iOS<\/strong><\/p>\n\n\n\n

On App Store, the Trojan pretended to be an app related to cryptocurrencies \u2014 \u5e01coin. On phishing pages mimicking the official iPhone App Store, the malware was distributed under the guise of TikTok and gambling applications.<\/p>\n\n\n\n

An alleged crypto exchange app, <\/em>\u5e01coin<\/em>, on App Store<\/em><\/p>\n\n\n\n

A webpage mimicking AppStore to install an alleged TikTok app through developer tools

<\/em><\/p>\n\n\n\n

A fake web store embedded into the alleged TikTok app<\/em><\/p>\n\n\n\n

“One of the vectors for the Trojan’s distribution turned out to be fake websites where the attackers tried to infect the victims’ iPhones. iOS has several legitimate ways to install programs not from the App Store. In this malicious campaign, the attackers used one of them \u2014 special developer tools for distributing corporate business applications. <\/p>\n\n\n\n

In the infected version of TikTok, during authorization, the malware, in addition to stealing photos from the smartphone gallery, embedded links to a suspicious store in the person’s profile window. This store only accepts cryptocurrencies, which increases our concerns about it,\u201d explains Sergey Puzan, a malware expert at Kaspersky.<\/p>\n\n\n\n

Android<\/strong><\/p>\n\n\n\n

The attackers targeted users both on third-party websites and on Google Play, passing off the malware as various crypto services. For example, one of the infected applications \u2014 a messenger called SOEX with a cryptocurrency exchange function \u2014 was downloaded from the official store over 10,000 times. <\/p>\n\n\n\n

An alleged crypto exchange app, SOEX, on Google Play<\/em><\/p>\n\n\n\n

Experts also found APK files of infected apps (these can be installed directly on Android smartphones bypassing official stores) on third-party websites that are likely related to the detected malicious campaign. They are positioned as investment crypto projects. The websites on which these applications were posted were advertised on social networks, including YouTube. <\/p>\n\n\n\n

“After the apps were installed, they functioned as promised in their description. But at the same time, photos from the smartphone gallery were sent to the attackers. The attackers may later try to find various confidential data in the images, for instance, crypto wallet recovery phrases to access the victims’ assets. There are indirect signs that the attackers are interested in people’s digital assets: many of the infected apps were related to crypto, and the trojanized TikTok app also had a built-in store that accepted payment for goods only in crypto,” comments Dmitry Kalinin, a malware expert at Kaspersky. <\/p>\n\n\n\n

A detailed report about this attack is available on Securelist.com<\/a>. <\/p>\n\n\n\n

To avoid becoming a victim of this malware, Kaspersky recommends the following safety measures:<\/p>\n\n\n\n