Researchers Just Discovered Photo-Scanning Malware in the Apple App Store for the First Time
Not all apps are safe. This is why I always recommend downloading apps from official app stores like the iOS App Store and Google Play Store rather than from a random website: Apple and Google have policies to scan for malware and stop it before it reaches the app stores. But no company is perfect, and malware-infected apps end up on official app stores more often than we’d like to think. These apps tend to appear on the Play Store more often than on the App Store, given that Apple is extremely strict, but that doesn’t mean the App Store is immune to malware—it definitely happens, and we’ve covered it before . In fact, researchers have just discovered a batch of apps containing malware on Apple and Google platforms . And this is the first time this particular type of malware has been detected in the iOS App Store.
What is SparkCat?
Researchers from Kaspersky Lab have discovered apps on the Google Play Store and Apple App Store containing malicious platforms specifically designed to steal crypto wallet recovery phrases, a series of words used to access cryptocurrency in digital wallets. Researchers call the malware “SparkCat” and believe it has been circulating since March 2024.
If you have downloaded one of these apps on iOS or Android, it will likely ask for permission to access your photo library, and then the malicious platform will launch an optical character recognition (OCR) plugin to scan and identify the text in your images. If the program found text that matched certain keywords, it would send those images to a remote server. The idea is to scan your library for screenshots that show your crypto wallet recovery phrases and send them back to thieves, who can then use those phrases to hack and steal accounts.
One of the first apps to raise suspicion among Kaspersky Lab researchers was the Chinese food delivery app ComeCome. It is still available on both iOS and Android and is the first known app infected with OCR malware to appear on the Apple App Store, Kaspersky said. Negative review starting in 2023 suggests the app was using malware to steal information, but it’s unclear whether the app was using this particular OCR tactic all along.
Kaspersky also discovered other applications with a similar malicious structure. It’s important to note that researchers cannot say whether the malware was placed in these apps by an attacker or whether the app developers embedded it themselves. However, it appears that some apps have been designed to attract users without offering legitimate services in return, such as multiple AI-powered messaging services from the same developer. Specifically, these are WeTink and AnyGPT , which are still working at the time of writing.
Where to go from here
First of all, if you have any of these affected apps installed on your iPhone or Android, uninstall them now. Even if the developers didn’t intentionally add malware (which could happen if a third party hijacks the app), it’s not safe to store it on your device. After that, take a moment and empty out your iPhone or Android’s pictures folder. If you have images that contain recovery phrases for your crypto wallet, be sure to delete them, but also consider deleting images that contain any sensitive information. Other strains of malware can take advantage of this OCR tactic, for example to look for Social Security numbers or bank account information, so it’s best to eliminate this risk entirely.
Finally, be careful when downloading new apps, even if you do so through official app stores. Be sure to review all aspects of an app’s page before installing it, including reviews, descriptions, and screenshots. If something doesn’t seem right, it’s probably best not to upload it. And avoid typical AI applications like the plague. Developers know that there is high demand for AI applications, which means attackers can cleverly add malware to applications in the hope that an AI fan will download their latest scheme. Don’t fall for it.