Don’t let the cute name fool you, this dangerous malware can sneak its way into your phone and steal all your photos.
Researchers at IT security company Kaspersky recently discovered a new trojan malware hiding inside applications available for download on official app stores Apple App Store and Google Play.
What is SparkKitty?
The malware researchers named SparkKitty is a cross-platform trojan, which means it can infect both Android and iOS devices. A trojan is a sneaky type of virus that hides inside supposedly legitimate applications or documents.
Kaspersky researchers found SparkKitty embedded inside applications available on official app stores but some were also found in unofficial app marketplaces, hidden inside fake TikTok app installers, various gambling and adult games, and crypto-related apps.
Once downloaded, it sneaks its way into the device, prompts the user to grant access to the photo gallery and then takes control and steals all the images.
“SparkKitty uploads each and every one of your snapshots to its command-and-control (C&C) server,” the researchers wrote in the report. C&C servers are hacker-controlled computers that send instructions to and remotely control an infected device.
GooglePlay, Apple, TikTok targets
One of the infected apps found on Google Play was a messaging app with crypto exchange features called SOEX, according to the report. The app was uploaded to the Android app store and installed over 10,000 times when the researchers made the discovery.
“It was still available in the store at the time of this research,” the Kaspersky team said.
Kaspersky notified Google, who has since removed the infected app from the app store.
On the Apple app store it was found embedded inside a bitcoin app for tracking cryptocurrency rates.
“We are not sure exactly how this suspicious spy activity ended up in the app,” they said, adding that it’s possible that the developers weren’t aware that their app was compromised somewhere along their supply chain. But, it’s also possible that the developers deliberately embedded the malware into the app, they said.
Researchers also discovered SparkKitty being distributed outside official app stores, with the malware found hidden inside TikTok clones distributed via unofficial channels.
SparkKitty’s predecessor SparkCat, believed to have been spreading since at least early 2024, originally targeted mobile phone users in Asia. However, researchers believe the campaign has gone beyond its original scope and have likely upscaled their operation to target those in other countries and continents, according to the report.
How to protect your phone from malware-infected apps
The golden rule “download apps from official sources only” still applies, the researchers said. However, users should also be aware that apps infected with dangerous malware are also now making their way into official app stores.
According to some experts, many developers may be inadvertently adding pieces of malware into applications that are then making their way into official app stores. Other times, legitimate applications that have built a reputable reputation are compromised after a change of ownership.
Kaspersky recommends a number of steps to keep devices safe
- Avoid storing important documents, passwords, banking data or photos of seed phrases for cryptowallets in the smartphone’s gallery. Aside from stealers like SparkKitty, users may accidentally upload and share these to a messenger.
- Be extremely cautious about granting permissions to new apps. “If you’re not completely sure about an app’s legitimacy (for example, it’s not an official messenger, but a modified version), don’t grant it full access to all your photos and videos. Grant access only to specific photos when necessary,” the researchers said.
- If you think you may have downloaded a suspicious app, delete it and review your photo gallery to check what information cybercriminals may have gotten access to. “Change any passwords and block any cards saved in the gallery,” Kaspersky said in the report.
In a previous interview with Metroland Media, Estyn Edwards, chief technology officer for Canadian app development company Punchcard Systems said users should take time to read reviews before downloading an app, but added they should also be aware that some reviews can be faked.
Taking the time to research an app and the company is also advised.
He also warned users to be wary of apps being offered for free online, when it’s supposed to be bought in official app marketplaces.
“You’d probably pay for that with your privacy or with whatever they can get from you through fraud,” he warned.
