Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Malware With Screen Reading Code Found in iOS Apps for the First Time

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
67,581
37,972


Malware that includes code for reading the contents of screenshots has been found in suspicious App Store apps for the first time, according to a report from Kaspersky.

iOS-App-Store-General-Feature-Desaturated.jpg

Dubbed "SparkCat," the malware includes OCR capabilities for sussing out sensitive information that an iPhone user has taken a screenshot of. The apps that Kaspersky discovered are aimed at locating recovery phrases for crypto wallets, which would allow attackers to steal bitcoin and other cryptocurrency.

The apps include a malicious module that uses an OCR plug-in created with Google's ML Kit library to recognize text found inside images on an iPhone. When a relevant image of a crypto wallet is located, it is sent to a server accessed by the attacker.

According to Kaspersky, SparkCat has been active since around March 2024. Similar malware was discovered in 2023 that targeted Android and PC devices, but it has now spread to iOS. Kaspersky located several App Store apps with OCR spyware, including ComeCome, WeTink, and AnyGPT, but it is not clear if the infection was a "deliberate action by the developers" or the "result of a supply chain attack."

The infected apps ask for permission to access a user's photos after being downloaded, and if granted permission, use the OCR functionality to sort through images looking for relevant text. Several of the apps are still in the App Store, and seem to be targeting iOS users in Europe and Asia.

While the apps are aimed at stealing crypto information, Kaspersky says that the malware is flexible enough that it could also be used to access other data captured in screenshots, like passwords. Android apps are impacted as well, including apps from the Google Play Store, but iOS users often expect their devices to be malware resistant.

Apple checks over every app in the App Store, and a malicious app marks a failure of Apple's app review process. In this case, there does not appear to be an obvious indication of a trojan in the app, and the permissions that it requests appear to be needed for core functionality.

Kaspersky suggests that users should avoid storing screenshots with sensitive information like crypto wallet recovery phases in their Photo Library to stay safe from this kind of attack.

A full list of iOS frameworks that are infected is available on the Kaspersky website, along with more information about the malware.

Article Link: Malware With Screen Reading Code Found in iOS Apps for the First Time
 
Article Link
https://www.macrumors.com/2025/02/05/ocr-malware-app-store/
Malware that includes code for reading the contents of screenshots has been found in suspicious App Store apps for the first time, according to a report from Kaspersky.

Kaspersky located several App Store apps with OCR spyware, including ComeCome, WeTink, and AnyGPT...
Click to expand...
See. This is what happens when you allow 3rd party app stores.

What's that? This was found on Apple's App Store? 😲
 
  • Like
  • Haha
  • Disagree
Reactions: Mystakill, gusmula, com.B and 56 others
MacRumors said:
Dubbed "SparkCat," the malware includes OCR capabilities for sussing out sensitive information that an iPhone user has taken a screenshot of. The apps that Kaspersky discovered are aimed at locating recovery phrases for crypto wallets, which would allow attackers to steal bitcoin and other cryptocurrency.
Click to expand...
Cats stealing crypto? Didn't know cats could be so dangerous.
 
  • Haha
Reactions: Shirasaki
"Apple checks over every app in the App Store. . . ."

They'd like you to think that, but no they do NOT check every app. Apple are more interested in nanny rules than real security rules. That is not to say they won't fix this, because they almost always respond after the fact when the media holds them accountable.

That is exactly why there is no such thing as "security by obscurity." And also why 3rd party App stores should be allowed. There is no additional security provided by Apple's walled garden. Marketing at its finest.
 
  • Like
  • Disagree
  • Love
Reactions: Grigori Wulfric, AstonSmith, miguel cortez and 28 others
nt5672 said:
"Apple checks over every app in the App Store. . . ."

They'd like you to think that, but no they do NOT check every app. Apple are more interested in nanny rules than real security rules. That is not to say they won't fix this, because they almost always respond after the fact when the media holds them accountable.

That is exactly why there is no such thing as "security by obscurity." And also why 3rd party App stores should be allowed. There is no additional security provided by Apple's walled garden. Marketing at its finest.
Click to expand...

Those of us who weren't born yesterday know they used to run deeper checks, and developers and the media screamed about how it took too long, and how Apple was evil, and how they needed to be regulated.

So they gave people what they demanded - faster screening times. And now we get this, and people still complain, because people who don't understand anything scream the loudest about everything.
 
  • Like
  • Disagree
  • Haha
Reactions: Simos.805, Galley, murrayp and 36 others
Storing your wallet keys as a picture in photo library (hosted on a cloud service) — what a great idea!

Why not share a backup copy here as well?

Here is mine: level board tiny alone exhaust green erase north gym enact foster nurse awake foster divert cup invite color author lawn else solution start aspect
 
  • Like
  • Haha
Reactions: com.B, Grigori Wulfric, klasma and 1 other person
GMShadow said:
Those of us who weren't born yesterday know they used to run deeper checks, and developers and the media screamed about how it took too long, and how Apple was evil, and how they needed to be regulated.
Click to expand...
Having Apps in the App Store since the beginning I will never believe the earlier delays were for deeper checks. The delay was because they wanted the developers to think there were deeper checks, but the times my apps were delayed were for stupid reasons and almost always because the reviewer had no idea what they were doing.
 
  • Like
  • Love
  • Wow
Reactions: Mystakill, Grigori Wulfric, rmadsen3 and 10 others
MacRumors said:


Malware that includes code for reading the contents of screenshots has been found in suspicious App Store apps for the first time, according to a report from Kaspersky.

iOS-App-Store-General-Feature-Desaturated.jpg

Dubbed "SparkCat," the malware includes OCR capabilities for sussing out sensitive information that an iPhone user has taken a screenshot of. The apps that Kaspersky discovered are aimed at locating recovery phrases for crypto wallets, which would allow attackers to steal bitcoin and other cryptocurrency.

The apps include a malicious module that uses an OCR plug-in created with Google's ML Kit library to recognize text found inside images on an iPhone. When a relevant image of a crypto wallet is located, it is sent to a server accessed by the attacker.

According to Kaspersky, SparkCat has been active since around March 2024. Similar malware was discovered in 2023 that targeted Android and PC devices, but it has now spread to iOS. Kaspersky located several App Store apps with OCR spyware, including ComeCome, WeTink, and AnyGPT, but it is not clear if the infection was a "deliberate action by the developers" or the "result of a supply chain attack."

The infected apps ask for permission to access a user's photos after being downloaded, and if granted permission, use the OCR functionality to sort through images looking for relevant text. Several of the apps are still in the App Store, and seem to be targeting iOS users in Europe and Asia.

While the apps are aimed at stealing crypto information, Kaspersky says that the malware is flexible enough that it could also be used to access other data captured in screenshots, like passwords. Android apps are impacted as well, including apps from the Google Play Store, but iOS users often expect their devices to be malware resistant.

Apple checks over every app in the App Store, and a malicious app marks a failure of Apple's app review process. In this case, there does not appear to be an obvious indication of a trojan in the app, and the permissions that it requests appear to be needed for core functionality.

Kaspersky suggests that users should avoid storing screenshots with sensitive information like crypto wallet recovery phases in their Photo Library to stay safe from this kind of attack.

A full list of iOS frameworks that are infected is available on the Kaspersky website, along with more information about the malware.

Article Link: Malware With Screen Reading Code Found in iOS Apps for the First Time
Click to expand...
This is EU fault.
 
  • Disagree
  • Haha
  • Like
Reactions: Mystakill, Grigori Wulfric, Shirasaki and 6 others
iPhones must not be niche products. Otherwise, hackers would not waste time and resources targeting a small group of potential victims. 🤔
 
GMShadow said:
Those of us who weren't born yesterday know they used to run deeper checks, and developers and the media screamed about how it took too long, and how Apple was evil, and how they needed to be regulated.

So they gave people what they demanded - faster screening times. And now we get this, and people still complain, because people who don't understand anything scream the loudest about everything.
Click to expand...
Well why commit to something if you can’t regulate it properly. Surely you know as a company that you can still maintain your standards before you make it quicker.
So your basically saying they cut corners in the process so that is Apple’s fault
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back