Apps distributed via each Apple and Google’s app shops are hiding malicious screenshot-reading code that’s getting used to steal cryptocurrency, the cybersecurity software program agency Kaspersky reported today. It’s the “first recognized case” of apps contaminated with malware that makes use of OCR tech to extract textual content from pictures making it into Apple’s App Retailer, in accordance with a weblog submit detailing the corporate’s findings.
Kaspersky says it found the code from this specific malware marketing campaign, which it calls “SparkCat,” in late 2024 and that the frameworks for it seem to have been created in March of the identical yr.
On iOS and in some Android situations, the malware works by triggering a request to entry customers’ photograph galleries after they try to make use of chat help inside the contaminated app. As soon as permission is granted, it makes use of Google OCR tech, which lets it decipher textual content present in pictures, to search for issues like screenshots of crypto pockets passwords or restoration phrases. The software program then sends any pictures it finds again to the attackers, who can then use the data to entry the wallets and steal crypto.
Kaspersky says it might probably’t “verify with certainty the an infection was a results of a provide chain assault or deliberate motion by the builders.” The corporate names two AI chat apps that appear to have been created for the marketing campaign and seem to nonetheless be obtainable on the App Retailer, known as WeTink and AnyGPT. Moreover, Kaspersky discovered the malicious code in a legitimate-seeming meals supply app known as ComeCome, which you’ll also still download.
Neither Apple nor Google instantly responded to The Verge’s request for remark.