Full Report
SparkKitty, a new Trojan spy for iOS and Android, spreads through untrusted websites, the App Store, and Google Play, stealing images from users' galleries.
Analysis Summary
This summary is based on the provided context describing a new spyware campaign potentially linked to the previously observed SparkCat, targeting cryptocurrency assets via mobile applications.
# Tool/Technique: New Mobile Spyware (Linked to SparkCat)
## Overview
A new type of mobile spyware, believed to be connected to the SparkCat campaign, is actively targeting victims' cryptocurrency assets across both iOS and Android platforms. The malware is distributed via unofficial sources and infiltrated official app stores (Google Play and App Store, though the Android version is now removed from Google Play). A related variant distributes modified TikTok mods for Android that lead to an online store accepting cryptocurrency.
## Technical Details
- Type: Malware family (Spyware)
- Platform: Android, iOS
- Capabilities: Stealing crypto wallet information, image exfiltration, configuration file download, distribution via hijacked app stores.
- First Seen: Campaign active since at least February 2024.
## MITRE ATT&CK Mapping
Note: Specific mappings are inferred based on described behaviors (image exfiltration, configuration retrieval).
- **TA0010 - Collection**
- T1113 - Screen Capture (Implied, if OCR is performed on live screens or after capture)
- T1005 - Data from Local System (Stealing images/configurations)
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (Downloading configuration files)
## Functionality
### Core Capabilities
- **Cross-Platform Distribution:** Targets both iOS and Android ecosystems, infiltrating official app stores.
- **Configuration Retrieval:** Android modded apps download a Base64-encoded configuration file from a remote server to establish C2 channels and functionality endpoints.
- **E-commerce Infrastructure:** Android modifications lead to a WebView displaying an online store ("TikToki Mall") accepting cryptocurrency payments.
### Advanced Features
- **Targeted Image Exfiltration (OCR):** A subset of this malware uses Optical Character Recognition (OCR) models specifically to identify and exfiltrate images containing identifiable sensitive data, such as crypto wallet seed phrases. Other versions indiscriminately steal all images.
- **iOS Payload Delivery:** On iOS, the payload is delivered disguised as legitimate frameworks (e.g., `AFNetworking.framework`, `Alamofire.framework`), obfuscated libraries (`libswiftDarwin.dylib`), or embedded directly.
- **Apple Developer Exploitation (iOS):** Bypasses standard security by leveraging Apple Enterprise Provisioning Profiles to sign and distribute apps outside the App Store validation process. A discovered profile used the Team Identifier `EHQ3N2D5WH`.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: TikTok mods (for Android distribution method analyzed), payloads mimicking frameworks (`AFNetworking.framework`, `Alamofire.framework`), disguised libraries (`libswiftDarwin.dylib`).
- Registry Keys: [Not applicable/provided for mobile context]
- Network Indicators:
- Base C2/Configuration Retrieval: `hxxps://moabc[.]vip/?dev=az`
- Store/Endpoint Links (example configuration):
- `https://h1997.tiktokapp.club/wap/?`
- `https://h1997.tiktokapp.club/www/?`
- Behavioral Indicators:
- Requests access to the device's gallery upon opening specific screens (e.g., support chat).
- Installation of provisioning profiles on iOS devices.
- Android variants appearing as Xposed modules (Kotlin flavor).
## Associated Threat Actors
- Threat Actor associated with the original "SparkCat" spyware campaign.
- Developers exploiting Apple Enterprise profiles (Team Name: `SINOPEC SABIC Tianjin Petrochemical Co.Ltd.` associated with a discovered provisioning profile, likely a placeholder/stolen identity).
## Detection Methods
- Signature-based detection: Signatures could target known framework names used for disguise or known C2 infrastructure.
- Behavioral detection: Monitoring applications requesting gallery access immediately after launch or upon specific UI events, especially in apps obtained from third-party sources.
- YARA rules: Could be developed to detect configuration fields or embedded strings associated with the malicious SDK/framework.
## Mitigation Strategies
- **Source Verification:** Users should strictly avoid downloading applications from unofficial sources or relying on external links directing users to mimic app stores.
- **App Store Scrutiny:** Remain vigilant regarding new apps appearing on official stores, especially those requesting broad permissions like gallery access immediately upon launch.
- **iOS Enterprise Trust:** Organizations and individual users must exercise extreme caution regarding installing provisioning profiles from unknown sources, as this trusts the signing developer certificate.
- **Android Security:** Ensure installation via Google Play is enforced, or restrict installation from unknown sources (especially for users installing TikTok mods).
## Related Tools/Techniques
- SparkCat Stealer (Previous related campaign)
- Use of Apple Enterprise Certificates for Sideloading
- Use of OCR for targeted data extraction from visual media.