Researchers from Kaspersky have discovered malware that spreads through apps in Android and iOS mobile stores. Dmitry Kalinin and Sergey Puzan shared their investigation into the malware distribution campaign, which they named SparkCat and which has likely been active since March 2024.
“We cannot state with certainty whether the infection was the result of a supply chain attack or deliberate actions by developers,” the authors write. “Some of the apps, such as food delivery services, appeared to be legitimate, while others were apparently created to lure victims.”
The Kaspersky duo said that SparkCat is a stealthy operation that appears to ask for normal or harmless permissions. Some of the apps in which they detected the malware are still available for download, including the food delivery app ComeCome and the AI chat apps AnyGPT and WeTink.
The malware in question uses optical character recognition (OCR) to look through a device’s photo library, looking for screenshots of phrases to recover cryptocurrency wallets. They estimate that the infected Google Play apps have been downloaded more than 242,000 times. Kaspersky said: “This is the first known case where an app infected with OCR spyware has been found on Apple’s official app store.”
Apple often promotes the strict security of the App Store, and while malware has been rare, this discovery is a reminder that a walled garden is not impervious to attack.
