Kaspersky discovered ‘SparkCat’ malware aimed at stealing cryptocurrency in multiple iOS apps.
In a significant cybersecurity development, malicious apps capable of reading screenshots have been discovered in both Apple’s App Store and Google Play Store. This marks the first known instance of such sophisticated malware successfully infiltrating Apple’s tightly regulated ecosystem, according to a report published today by cybersecurity firm Kaspersky.
A New Breed of Malware: “SparkCat”
Kaspersky’s cybersecurity researchers uncovered the alarming presence of a malware campaign, dubbed “SparkCat,” in late 2024. Their analysis suggests that the underlying malicious frameworks were developed as early as March 2024. Unlike traditional malware that exploits device vulnerabilities or steals login credentials through phishing tactics, SparkCat employs Optical Character Recognition (OCR) technology to scan images for sensitive data.
How the Malware Works
On both iOS and Android, the infected apps deploy a deceptive method to gain access to users’ photo galleries. The malware is activated when users attempt to interact with in-app chat support, triggering a seemingly routine request to access their photo library. If permission is granted, the malware uses Google’s OCR technology to extract text from screenshots stored on the device. This method is particularly dangerous for cryptocurrency users, as many take screenshots of their wallet credentials, including private keys and recovery phrases. Once the malware identifies relevant screenshots, it sends them to cybercriminals who can then use the stolen data to access and drain crypto wallets.
Targeted Apps Identified
Kaspersky’s investigation identified three specific apps infected with the SparkCat malware that are still available for download:
- WeTink – An AI-powered chat application
- AnyGPT – Another AI chatbot app
- ComeCome – A food delivery service app
While the first two appear to be designed specifically as part of the malware campaign, ComeCome masquerades as a legitimate food delivery service, adding another layer of deception to the attack. The continued availability of these apps in official app stores underscores the evolving challenges of app store security and the sophisticated techniques cybercriminals now employ.
Supply Chain Attack or Developer Malfeasance?
At this stage, Kaspersky has not determined whether the inclusion of the malicious code resulted from a supply chain attack—where third-party software components were compromised—or if the developers intentionally embedded the malware. The latter scenario would imply a direct and deliberate attempt to distribute the malware, raising serious concerns about vetting processes within app marketplaces.
The Risks and What You Can Do
This discovery highlights the increasing risks associated with granting apps access to personal data, particularly sensitive information stored in photo galleries. While both Apple and Google enforce strict app review policies, this incident reveals vulnerabilities even within their walled ecosystems.
To protect yourself from such threats, consider the following precautions:
- Be cautious when granting app permissions – Avoid giving apps access to your photos unless absolutely necessary.
- Use secure password managers – Store sensitive credentials in encrypted password managers instead of taking screenshots.
- Regularly audit installed apps – Uninstall applications that request suspicious or unnecessary permissions.
- Enable two-factor authentication (2FA) – Secure crypto wallets and other sensitive accounts with additional security layers.
- Keep your software updated – Ensure your device’s operating system and security patches are up to date to mitigate vulnerabilities.
Apple and Google’s Response
Neither Apple nor Google have yet responded to inquiries regarding the presence of these malicious apps in their stores. Given the seriousness of this breach, it is expected that both companies will take swift action to remove the compromised apps and reinforce their security measures.
A Wake-Up Call for Mobile Security
The emergence of SparkCat serves as a stark reminder that no app ecosystem, not even Apple’s renowned App Store, is completely immune to cyber threats. As mobile security risks evolve, users must remain vigilant, adopt best security practices, and treat app permissions with caution.
Cybercriminals are constantly innovating new methods to steal sensitive information, and this incident demonstrates that even well-guarded platforms can be infiltrated. Whether through deceptive app permissions or sophisticated OCR-based attacks, the digital landscape continues to be a battleground for data security.
Kaspersky urges all users who have downloaded WeTink, AnyGPT, or ComeCome to remove these apps immediately and check their accounts for any suspicious activity. Stay informed, stay secure, and always think twice before granting apps access to your personal data.
