Kaspersky identified a new malware operation called SparkCat that has invaded the Apple App Store and Google Play Store. This is the first instance where screenshot-reading OCR malware-infected apps have found their way into Apple’s official marketplace.
SparkCat was discovered in late 2024. The malware utilizes Google ML Kit OCR technology to check users’ photo galleries for sensitive information, particularly cryptocurrency wallet recovery phrases.
The malware activates when the user attempts to chat support within the infected app, presenting a request for photo gallery access. Should the user grant access, the malware goes through any images for texts related to crypto, sending the findings to the attackers, who will access the victims and steal their funds.
Kaspersky’s researches suggest that some of the apps in question were purposely created with malicious intentions, while others may have met a rogue fate.
Indications of infection have been raised against two AI chat apps, WeTink and AnyGPT, as well as food delivery app ComeCome, and other apps are still available for download.
Given that the malware appears to have been present on iOS and Android, this speaks to the failure of any app store vetting process.
On Android, the malware decrypts and activates an OCR plug-in that analyzes stored images, while on iOS the same activities are performed by a different module based on Google’s ML Kit.
Whether the infection was made possible by supply chain attack methods or by intentional actions of the developer has so far remained unresolved by Kaspersky.
Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke
