Within the smartphone landscape, Apple’s ecosystem is frequently regarded as the most secure. Independent evaluations by cybersecurity experts have consistently reinforced this perspective over time. However, Apple’s defenses are not foolproof, and it appears that malicious actors have achieved another concerning breakthrough.
According to an analysis by Kaspersky, malware equipped with Optical Character Recognition (OCR) capabilities has been identified on the App Store for the first time. Rather than pilfering files saved on a device, this malware scans locally stored screenshots, interprets the textual content, and transmits the extracted information to external servers.
The operation behind this malware, dubbed “SparkCat,” exploited apps distributed from official repositories—specifically Google’s Play Store and Apple’s App Store—as well as third-party sources. These compromised applications collectively accumulated around 250,000 downloads across the two platforms.
Notably, the malware leveraged Google’s ML Kit library, a set of tools that facilitates the integration of machine learning features for expedited and offline data processing within applications. This ML Kit enabled the Google OCR model to analyze photos saved on an iPhone and identify text that may contain sensitive information.
However, the malware’s capabilities extended beyond merely capturing cryptocurrency recovery codes. “It is important to highlight that the malware is versatile, allowing it to steal various sensitive data from the gallery, including messages or passwords that may have been captured in screenshots,” the Kaspersky report states.
One of the iPhone applications affected was ComeCome, which superficially appears to be a food delivery service but was actually embedded with screenshot-reading malware. Kaspersky noted, “This is the first known instance of an app infiltrated with OCR spyware within Apple’s official app marketplace.”
The exact involvement of the app developers in introducing this malware remains uncertain, raising the possibility of a supply chain attack. Regardless of its origins, the entire process appeared unobtrusive, with the apps seemingly legitimate and serving purposes such as messaging, AI learning, or food delivery. Notably, the cross-platform malware was also designed to mask its presence, compounding detection difficulties.
The primary goal of this attack was to exfiltrate cryptocurrency wallet recovery phrases, which could enable an attacker to take control of an individual’s crypto wallet and access their assets. The main targets were located in Europe and Asia, but some of the flagged apps also seemed to operate in Africa and additional regions.
