Kaspersky has identified a novel malware operation called SparkCat that has infiltrated both the Apple App Store and Google Play Store. This marks the first instance of screenshot-reading OCR-infected apps being found in Apple’s official marketplace, raising concerns about potential misuse within legitimate app ecosystems.
The SparkCat malware was discovered later in 2024. It leverages advanced technology to exploit users’ photo galleries for sensitive information, particularly focusing on cryptocurrency wallet recovery phrases. When a user attempts to access customer support via the infected app, it requests permission to view their photos and files (via Google ML Kit OCR). If granted access, the malware scans through images in search of text related to crypto transactions or recovery phrases. It then sends these findings to attackers, enabling unauthorized access and theft.
Kaspersky’s research indicates that some apps may have been intentionally created with malicious intent, while others may have fallen victim to accidental exposure. Indications of infection include two AI chatbots (WeTink and AnyGPT) as well as the food delivery app ComeCome. Other potentially infected apps are yet to be confirmed.
The spread of SparkCat appears to span both iOS and Android platforms, suggesting that existing or newly released apps could carry malicious code. On Android devices, the malware activates by decrypting and enabling an OCR plug-in that scans stored images for sensitive data. On iOS systems, a separate module based on Google’s ML Kit performs similar functions.
Whether SparkCat was introduced through intentional supply chain attacks or unintentional developer errors remains unclear at this time. This incident underscores the need for enhanced vetting processes to ensure apps are free from malicious interference and protect users’ personal information online.
