Any app that has access to the user's images could do OCR with its own custom code. How, practically, would Apple be able to discriminate that from typical image processing app behaviour?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Malware With Screen Reading Code Found in iOS Apps for the First Time
- Thread starter MacRumors
- Start date
- Sort by reaction score
This is also why you shouldn't give apps blanket permission to your full photo library. Only give permission to specific photos in the moment.
Malware that includes code for reading the contents of screenshots has been found in suspicious App Store apps for the first time, according to a report from Kaspersky.
Dubbed "SparkCat," the malware includes OCR capabilities for sussing out sensitive information that an iPhone user has taken a screenshot of. The apps that Kaspersky discovered are aimed at locating recovery phrases for crypto wallets, which would allow attackers to steal bitcoin and other cryptocurrency.
The apps include a malicious module that uses an OCR plug-in created with Google's ML Kit library to recognize text found inside images on an iPhone. When a relevant image of a crypto wallet is located, it is sent to a server accessed by the attacker.
According to Kaspersky, SparkCat has been active since around March 2024. Similar malware was discovered in 2023 that targeted Android and PC devices, but it has now spread to iOS. Kaspersky located several App Store apps with OCR spyware, including ComeCome, WeTink, and AnyGPT, but it is not clear if the infection was a "deliberate action by the developers" or the "result of a supply chain attack."
The infected apps ask for permission to access a user's photos after being downloaded, and if granted permission, use the OCR functionality to sort through images looking for relevant text. Several of the apps are still in the App Store, and seem to be targeting iOS users in Europe and Asia.
While the apps are aimed at stealing crypto information, Kaspersky says that the malware is flexible enough that it could also be used to access other data captured in screenshots, like passwords. Android apps are impacted as well, including apps from the Google Play Store, but iOS users often expect their devices to be malware resistant.
Apple checks over every app in the App Store, and a malicious app marks a failure of Apple's app review process. In this case, there does not appear to be an obvious indication of a trojan in the app, and the permissions that it requests appear to be needed for core functionality.
Kaspersky suggests that users should avoid storing screenshots with sensitive information like crypto wallet recovery phases in their Photo Library to stay safe from this kind of attack.
A full list of iOS frameworks that are infected is available on the Kaspersky website, along with more information about the malware.
Article Link: Malware With Screen Reading Code Found in iOS Apps for the First Time
For this to work, an iPhone user would have to give the app permission to search through photos. I wonder why the user would do this. What is the app's overt purpose? Is this some kind of photo-organizing app?
That's the thing about must phishing and breaches
It's almost always the human themselves that is the weak point, not any technology
It's why the incessant cries for an ever more locked down "walled garden" and Apple protecting people is of minimal impact actually
The Photos app is really the best password manager! Apple should actually integrate that with automatic password fill-in via Apple Intelligence. Just take a screenshot from whatever credentials, and it will automatically be available for fill-in. It just works!
In addition, they could apply their NSFW photo blurring code.
In addition, they could apply their NSFW photo blurring code.
No need for AI -- other companies are handling it for you!
Auto-login and steal all your stuff -- folks can just keep scrolling social media!
^This! Unfortunately you will be asked AGAIN EVERY app start to give full permission - until you finally give in to stop this pestering, because Apple NEVER gives you the NO-AND-NEVER-ASK-AGAIN-option.
It’s understandable if some of the problematic Apps still get approved. However, without the approval process, there could be thousands times more.
Let's just be clear though, this is the same approval process they do for 3rd party App Store Apps also
So please everyone (not saying you) stop claiming the 1st party store is in some way "safer"
It's literally the same from a security standpoint
Cant believe it took three comments for a sensible response rather than just attacking Apple...
the issue here is the photo access permission, that shoud not exist in the first place
the whole underlying framework should bring up system photos selector, and then only give the app photos user has selected (stripped of metadata)
giving app access to all photos is dumb. the 2nd option that requires user to give app permission only to certain photos is even dumber - that means i had to click on every photo that i want to give permission, then repeat that process again when i actually want to do something with them in app (ie. send to somebody)
the whole underlying framework should bring up system photos selector, and then only give the app photos user has selected (stripped of metadata)
giving app access to all photos is dumb. the 2nd option that requires user to give app permission only to certain photos is even dumber - that means i had to click on every photo that i want to give permission, then repeat that process again when i actually want to do something with them in app (ie. send to somebody)
Is there a way to check for malware on iOS ? Like Malwarebytes, does it detect that kind of malware ?
I've had multiple otherwise-intelligent relatives fall for "We need to remotely install this onto your computer to check for xx" scams. Don't underestimate the skill of social engineers.
Even the strongest lock is moot when the owner gets manipulated into giving the key to the bad guys.
Are you blind ? This is on the app store
Any gpt is still on the app store ! Did they remove the threat or is it still there ?
Yep - exactly my point
It's a bit akin to when the actual pilots crash an airliner on purpose
Some situations are really hard to stop
I dunno, there are cases where apps have legit good reasons for accessing photos.
But those need to be LEGIT GOOD REASONS (necessary and even core to app functionality), and any app using photo access APIs should be under special scrutiny at review.
But again, it doesn't really have much impact if you ask and have "legit good reasons" and how scrutinized it all is or not if ultimately the weak point is that the user themselves gives the access
Look at one of the examples here .. "GPT thing" .. users are just going to give that "access to all photos" so it's enjoyable to use and not a hassle w/ permissions every single time they want it to scan a pic and do a query
I'm not surprised. Back in the pwn2own days, a developer showed that Safari had 12 or 13 flaws that allowed takeover. When they mentioned that they did a crude scan of the application, it was obvious that Apple wasn't checking anything. Now, things are better but not good.
On iOS, they do the minimum and, for their own business needs, not for safety or consumer protection. They've been making up the rules as they go. With all of the employees Apple have worldwide, they could each check an app a day and note problems, but that apparently doesn't happen, either.
On iOS, they do the minimum and, for their own business needs, not for safety or consumer protection. They've been making up the rules as they go. With all of the employees Apple have worldwide, they could each check an app a day and note problems, but that apparently doesn't happen, either.
"App Review"
"yep! the App complies with our rules"
"yep! the App complies with our rules"
Last edited:
My app called Altershot uses full Photos access to show screenshots which you can edit. It won’t work as well with system Photos picker, it would require more taps from my customers.
The article title makes it sound worse than it is - from the title, I thought it was saying an app running in the background was able to see the screen of the app in the foreground and steal info from it.
Even so, it seems like a fairly simple solution would be for Apple to make it so accessing photos/videos is a separate permission from accessing screenshots/recordings.
Maybe have some notion of "secure" or "secret" pictures or something where there's yet another permission needed for that, and have it require a passcode to be entered before they can be accessed.
Even so, it seems like a fairly simple solution would be for Apple to make it so accessing photos/videos is a separate permission from accessing screenshots/recordings.
Maybe have some notion of "secure" or "secret" pictures or something where there's yet another permission needed for that, and have it require a passcode to be entered before they can be accessed.