A sophisticated campaign of malware from Troy targets users of mobile devices on iOS and Android platforms since February 2024, with cybersecurity researchers identifying a significant climbing in photo flight capacities which have special risks for cryptocurrency users and individuals storing sensitive information in their galleries of devices.
Sparkkitty represents a worrying development in the distribution of mobile malware, successfully bypassing the security measures on Google Play and the Apple App Store to reach uneasy users.
Malware has mainly targeted users in Southeast Asia and China, although its technical architecture does not require any geographical limitation within its operational reach.
The malware campaign has demonstrated remarkable sophistication in its distribution methods, successfully infiltrating legitimate application stores via applications such as Soex, a messaging platform with cryptocurrency trading functionalities that have accumulated more than 10,000 downloads before removing Google Play.
On iOS devices, malware has been integrated into fraudulent frameworks that imitate legitimate libraries like Afnetworking, while also operating Apple company supply profiles via applications like 币 Coin, a cryptocurrency tracking application.
Kaspersky researchers have identified this campaign as a representative probably an evolution of the previously documented Sparkcat family of malware, indicating the development and continuous refinement of mobile -targeted attack vectors by cybercriminal organizations.
Malwoids Sparkkitty
Sparkkitty’s technical implementation varies considerably between the platforms while maintaining coherent malicious objectives:
Implementation of the Android platform:
- Use Java and Kotlin programming languages for basic features.
- Use malicious X -proposed modules to inject the code directly into trust applications.
- Initiates the infection chain through apparently legitimate applications requiring storage authorizations.
- Target photo galleries of the device via the standard Android authorization model.
Implementation of the iOS platform:
- Uses the automatic loading mechanism for the C for execution.
- Triggers the activation of malware via
+(AFImageDownloader load)selector when launching the application. - Includes verification checks by ensuring that the info. Target applicationplis contains specific configuration keys.
- Decrypts Coded Configurations Base64 using AES-256 encryption in ECB mode.
- Access the device photo galleries and download captured images on control and control servers via designated API termination points.
- Maintains the persistent monitoring of the gallery changes to automatically capture the newly added photographs.
Infrastructure and resilience:
- Use cloud services, including AWS S3 and Alibaba OSS for delivery of payload.
- Complicates withdrawal efforts thanks to the distributed approach to infrastructure.
- Ensures operational continuity in various geographic regions.
Full photo flight
Sparkkitty tackled A significant escalation in the threat capacity compared to its predecessor, Sparkcat, which used the technology of recognition of optical characteristics to selectively target specific images.
The current campaign without discernment all the accessible photographs of the apparatus galleries, considerably increasing the probability of capturing sensitive information, including the cryptocurrency portfolio seed sentences, identification documents and financial files.
The malware maintains local databases to follow the downloaded images and prevent double transmissions, while continuously monitoring the gallery changes to steal newly added content.
This complete approach considerably amplifies the exposure potential sensitive to data, affecting in particular users who store screenshots of the cryptocurrency portfolio recovery or other confidential information in their apparatus galleries.
Security researchers emphasize the critical importance of avoiding the storage of sensitive screenshots in devices galleries and the implementation of a thorough examination when downloading mobile applications, even in officially sanctioned application stores, given the demonstrated capacity of Sparkkitty to bypass traditional verification processes.
Find this story interesting! Follow us Liendin And X To get more instant updates.
