For the first time ever, Malware with code that performs Optical Character Recognition (OCR) has been in suspicious apps in the App Store, according to a report from Kaspersky. Similar apps were also discovered in the Google Play Store for Android devices.
The malware, dubbed “SparkCat,” includes OCR capabilities for reading sensitive information in any screenshots taken by an iPhone user. The apps discovered by Kaspersky were designed to locate recovery phrases for crypto wallets, helping attackers to steal cryptocurrency.
The apps’ code include a malicious bit of code that makes use of an OCR plug-in created with Google’s ML Kit library to recognize text found inside images on an iPhone. When an image of a crypto wallet is detected, it is sent to a server designated by the attacker.
In March 2023, researchers at ESET discovered malware implants embedded into various messaging app mods. Some of these scanned users’ image galleries in search of crypto wallet access recovery phrases. The search employed an OCR model which selected images on the victim’s device to exfiltrate and send to the C2 server. The campaign, which targeted Android and Windows users, saw the malware spread through unofficial sources. In late 2024, we discovered a new malware campaign we dubbed “SparkCat”, whose operators used similar tactics while attacking Android and iOS users through both official and unofficial app stores.
Kaspersky located several App Store apps with OCR spyware, including ComeCome, WeTink, and AnyGPT, but it is not clear if the infection was a “deliberate action by the developers” or the “result of a supply chain attack.”
The malicious apps ask for permission to access a user’s photos after being installed. If the user grants permission, the app will use its OCR functionality to search through the images on the device, looking for relevant text. Several of the apps are still available in the App Store, and appears to be targeting users located in Europe Asia.
While the apps are intended to scan for crypto information, Kaspersky says the malware can also be used to access other data captured in screenshots, including passwords.
Although Apple checks every apps that is submitted to the App Store, the review process appears to have let several apps slip through this time. However, it should be noted that it appears that there are no obvious indications of a trojan in the app. The permissions the app asks for are those required for core app functionality.
Kaspersky recommends that users avoid taking screenshots with any sensitive information like crypto wallet recovery phrases to stay safe from these types of attacks.
For more information about the malware, as well as a full list of infected iOS frameworks, is available on the Kaspersky website.
(Photo by Growtika on Unsplash)
