Security researchers have discovered a dangerous photo-stealing spyware campaign that successfully infiltrated both the Apple App Store and Google Play—targeting unsuspecting users across iOS and Android platforms.
According to Kaspersky, the campaign—named SparkKitty—has been active since early 2024, primarily hitting users in Southeast Asia and China. The spyware hides inside apps that appear legitimate, including fake TikTok mods and cryptocurrency tools, stealing every photo on the user’s device—likely in search of sensitive data like cryptocurrency wallet information.
What makes this campaign especially alarming is that the attackers managed to bypass Apple’s strict security protocols. They used Apple’s Developer Enterprise Program, which is meant for internal distribution of corporate apps, to deploy a malicious provisioning profile. This trick allowed the rogue apps to run on iPhones without being published on the App Store in the usual way.
The malware authors even modified AFNetworking, a legitimate open-source library used for network communication in iOS apps, to silently transmit stolen images and device data to a remote command-and-control (C&C) server.
On Android, the story isn’t much better. Kaspersky found multiple fake apps—posing as cryptocurrency tools and casino games—stealing photo gallery contents. One of these apps, a messaging app that doubled as a crypto exchange, was available on Google Play and had already been downloaded over 10,000 times before being removed.
Digging deeper, researchers found a similar Android app circulating outside official channels with an iOS version that also managed to slip into the App Store. In both cases, the malicious code was baked directly into the core of the app, rather than added through third-party SDKs—making it harder to detect.
Beyond app stores, the attackers also used Progressive Web Apps (PWAs) to push scam iOS apps through lookalike landing pages mimicking those offering TikTok mods. Some of these web apps targeted Android users as well, asking for permissions to access storage. Once granted, the malware used optical character recognition (OCR) to scan images for text—stealing any photos that contained words with at least three letters.
The campaign appears closely tied to an earlier operation known as SparkCat, another spyware strain that also used OCR to swipe crypto-related screenshots from victims’ galleries. Both SparkKitty and SparkCat leveraged both official and unofficial app distribution methods—making them harder to avoid and highlighting a growing challenge for mobile device security.
Whether you use Android or iOS, this discovery is a stark reminder that even apps from trusted sources can be weaponized. Always double-check app permissions, be cautious of apps offering unofficial features like “TikTok mods,” and avoid downloading apps from unfamiliar sources.
