In a significant cybersecurity breach, malicious applications have infiltrated both Apple’s App Store and Google’s Play Store, compromising user data by exploiting access to photo libraries. These apps, masquerading as legitimate services, employ advanced techniques to extract sensitive information, particularly targeting cryptocurrency wallet recovery phrases.
Discovery and Mechanism of the Malware
Security researchers at Kaspersky identified a spyware campaign, dubbed SparkCat, active since early 2024. This campaign utilizes applications embedded with malicious software development kits (SDKs) to infiltrate devices. Once installed, these apps request permission to access the user’s photo gallery. Upon obtaining access, they employ Optical Character Recognition (OCR) technology to scan images for text, specifically seeking cryptocurrency wallet recovery phrases. If such information is detected, it is transmitted to remote servers controlled by the attackers. ([macrumors.com](https://www.macrumors.com/2025/02/05/ocr-malware-app-store/?utm_source=openai))
Scope and Impact
The infected applications have been downloaded extensively, with over 242,000 installations from Google Play alone. This marks the first known instance of such malware being found in Apple’s App Store, highlighting a significant vulnerability in both platforms’ security measures. The malware’s ability to operate stealthily, without obvious signs of infection, makes it particularly dangerous. It requests permissions that appear reasonable, such as access to the photo gallery, which users are likely to grant without suspicion. ([helpnetsecurity.com](https://www.helpnetsecurity.com/2025/02/05/crypto-stealing-ios-android-malware-found-on-app-store-google-play-sparkcat-malicious-sdk/?utm_source=openai))
Technical Details
The malicious SDK, referred to as Spark, is designed to be highly obfuscated, making detection and analysis challenging. It utilizes a Rust-based networking module to communicate with command-and-control servers, ensuring encrypted and secure data transmission. The malware loads different OCR models depending on the system language, enabling it to recognize text in various languages, including Latin, Korean, Chinese, and Japanese. ([theregister.com](https://www.theregister.com/2025/02/07/infected_apps_google_apple_stores?utm_source=openai))
Response from Apple and Google
Upon discovery, both Apple and Google acted to remove the malicious applications from their respective stores. Apple removed 11 fraudulent apps linked to previously banned ones, emphasizing their commitment to user security. Google confirmed that all identified apps have been removed from Google Play, and the developers have been banned. Android users are automatically protected from known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/mobile/crypto-stealing-apps-found-in-apple-app-store-for-the-first-time/?utm_source=openai))
Preventive Measures for Users
To safeguard against such threats, users are advised to:
– Limit Permissions: Be cautious when granting apps access to sensitive data, such as photo galleries.
– Avoid Storing Sensitive Information in Photos: Refrain from saving screenshots containing sensitive information, like cryptocurrency wallet recovery phrases, in your photo library.
– Use Trusted Applications: Download apps from reputable developers and verify their authenticity through reviews and ratings.
– Regularly Update Devices: Keep your device’s operating system and applications updated to benefit from the latest security patches.
Conclusion
The emergence of sophisticated malware capable of infiltrating official app stores underscores the evolving nature of cyber threats. Users must remain vigilant, exercise caution when granting app permissions, and adopt best practices to protect their personal and financial information.
