Photo-Stealing Spyware Sneaks Into Apple App Store, Google Play

Kaspersky has uncovered a spyware campaign targeting Android and iOS users via official and unofficial app stores to steal images from their devices, potentially looking for cryptocurrency information.

Dubbed SparkKitty, the campaign has been ongoing since early 2024 through applications injected with frameworks/SDKs, primarily targeting users in Southeast Asia and China.

The malicious code, discovered in applications posing as TikTok mods for both Android and iOS, attempts to steal all of the victim’s images, but appears linked to a previous campaign that relied on optical character recognition (OCR) to extract cryptocurrency wallet information from screenshots.

To ensure the nefarious apps would run on iOS devices, the malware developers relied on a provisioning profile available through Apple’s Developer Program to deploy on victims’ iPhones certificates that would become trusted by the device.

The attackers used an Enterprise profile, which allows organizations to push apps to user devices without ...