Detection of malware for the first time in iOS App Store apps that reads screenshots.

A report from a cybersecurity software company has revealed that applications available on Apple and Google stores are hiding malicious code aimed at stealing cryptocurrencies. According to the analysis, this is the first known case of apps infected with malware that utilizes optical character recognition (OCR) technology to extract text from images and has managed to infiltrate Apple’s App Store.

The cybersecurity firm Kaspersky reported that this malware, which they have named "SparkCat," was detected in late 2024, and the first traces of its framework appear to have been created in March of the same year. On iOS devices and certain versions of Android, the malware operates by requesting access to users' photo galleries when they attempt to use the chat support feature within the infected application. Once permission is granted, the software employs Google’s OCR technology to identify information in the photos, specifically looking for screenshots of cryptocurrency wallet passwords or recovery phrases. The found images are sent to the attackers, who can use that data to access the wallets and steal cryptocurrencies.

Kaspersky has indicated that they cannot confirm with certainty whether the infection is the result of a supply chain attack or a deliberate action by the developers. The company mentions two AI-based chat applications that appear to have been created for this campaign and are still available on the App Store: WeTink and AnyGPT. The malicious code was also found in a seemingly legitimate food delivery app called ComeCome, which can still be downloaded.

So far, Apple and Google have not provided an official response to the situation.