While many applications can enhance device functionality, not all come with guaranteed safety. It is advisable to acquire applications solely from reputable sources, such as the iOS App Store and Google Play Store. These platforms have stringent protocols in place to detect and eliminate malware before it reaches consumers. However, both Apple and Google are not infallible; malicious apps can, and do, find their way onto these official marketplaces more frequently than one might expect. This issue is particularly prevalent within the Play Store due to Apple’s more rigorous guidelines, but it’s important to remember that the App Store is not immune—instances of malware infiltration have been documented, as previously reported. Recently, researchers uncovered a collection of apps containing harmful software on both platforms, marking a notable discovery of this malware type within the iOS ecosystem.

Understanding SparkCat

A team of researchers from Kaspersky recently identified applications on both Apple’s App Store and Google’s Play Store that were laced with malicious code wielding the capability to purloin cryptocurrency wallet recovery phrases—critical lists of words required to access digital wallets. Dubbed “SparkCat,” this malware variant is believed to have emerged as early as March 2024.

If users installed these infected apps on iOS or Android systems, they were often prompted to grant access to their photo libraries. Following this, the malware would initiate an optical character recognition (OCR) plug-in, scanning through the images stored on the device. Should it detect text matching specific keywords, it would transmit those screenshots to a remote server. The goal is to hunt for images containing sensitive recovery phrases that could allow hackers unauthorized access to crypto accounts.

The first app that piqued Kaspersky’s interest was a Chinese food delivery service known as ComeCome. When this report was published on February 5, it remained available on both iOS and Android. This was identified as the first instance of an app with OCR malware appearing on the App Store. Since then, both platforms have delisted it. Notably, a damaging review dating back to 2023 hinted at the app’s alleged malware activity, although it remains unclear whether this specific OCR methodology was always part of its operation.

Next Steps to Take

For anyone who has these dubious applications installed on their phones, it is crucial to delete them immediately. Even if the developers did not intentionally incorporate malicious code—potentially due to a third-party compromise—retaining such apps can be risky. Furthermore, the removal of these apps from the store does not guarantee their deletion from your device, so proactive action is necessary.

Following the uninstallation, it would be wise to thoroughly examine the images saved on your device. Should there be any pictures containing recovery phrases for your cryptocurrency wallets, delete them. Additionally, consider eliminating any images that contain sensitive personal information, as different strains of malware may exploit OCR technology to unearth social security numbers or banking details. It’s best to minimize such risks entirely.

Lastly, maintain vigilance when downloading new applications, even from trusted app stores. Scrutinize all components of the app page—including reviews, descriptions, and previews—before proceeding with an installation. If any aspect seems dubious, it’s advisable to proceed with caution and refrain from downloading. Special care should also be taken with generic AI applications, as the rising demand for AI solutions has led to malicious users embedding malware in these apps, hoping to attract unsuspecting AI enthusiasts. Stay vigilant and don’t fall prey to such tactics.