Apple’s ecosystem has long been considered a fortress of security in the smartphone world, a reputation reinforced by numerous independent security analyses. However, this perception of impenetrability has been challenged by a new discovery: malware with Optical Character Recognition (OCR) capabilities has infiltrated the App Store for the first time.
This groundbreaking revelation comes from a Kaspersky analysis which details the “SparkCat” operation, a campaign distributing malware through apps downloaded from both official app stores (Apple’s App Store and Google’s Play Store) and third-party sources. The malware has already amassed approximately 250,000 downloads across both platforms.
Remarkably, the malware utilizes Google’s ML Kit library, a toolkit designed to enable machine learning functionalities for offline data processing within apps. This toolkit inadvertently provided the mechanism for the Google OCR model to scan photos stored on iPhones, identifying and extracting sensitive information from the text within them.
The malware’s reach extends beyond stealing cryptocurrency recovery phrases. Kaspersky’s report highlights the malware’s flexibility, noting its potential to capture other sensitive data from screenshots, such as messages, passwords, and other private information.
One infected iPhone app identified is “ComeCome,” disguised as a Chinese food delivery application. Kaspersky confirms this as the first documented instance of OCR spyware being discovered within Apple’s official App Store.
While it remains unclear whether app developers knowingly embedded the malware or if the infiltration resulted from a supply chain attack, the operation maintained a low profile. The infected apps appeared legitimate, offering functionalities ranging from messaging and AI learning to food delivery. Furthermore, the cross-platform malware effectively obscured its presence, making detection difficult.
The primary goal of this campaign appears to be the acquisition of cryptocurrency wallet recovery phrases, enabling attackers to seize control of victims’ wallets and steal their assets. While Europe and Asia are the primary targets, some identified apps are active in Africa and other regions.
This discovery underscores the evolving nature of mobile threats and the importance of ongoing vigilance, even within seemingly secure environments like Apple’s App Store. Users are advised to exercise caution when downloading apps and remain aware of the potential risks associated with storing sensitive information on their devices.
