Warning Issued For Millions Of iPhone And Android Users Over Screenshot-Scanning Malware

Malware on iPhones and Android devices is often associated with downloading third-party apps from unofficial sources. Cybercriminals, however, are also able to hide malware within apps found at official sources, like the iOS App Store and Google Play Store. These pieces of malware are often designed to target sensitive information captured in screenshots.

A recent report revealed that several infected apps contain a malicious software development kit (SDK) aimed at stealing recovery phrases for cryptocurrency wallets. The malware, believed to have been active since March 2024, operates similarly on Android and iOS devices, secretly utilizing Google's ML Kit for optical character recognition (OCR). It scans the victim's image gallery for text and sends back images with keywords of interest to the attackers. This enables the attacker to extract sensitive information from the device without the victim's knowledge. Unfortunately, the malware has been downloaded over 242,000 times on Google Play alone.

This malware, named "SparkCat," uses Rust, a programming language not typically associated with mobile app development. As a result, it is more difficult to detect nefarious code, as security tools may not be programmed to look for or recognize malware written in the language. Furthermore, the permissions it requests may seem necessary for they payload app's core functionality or appear harmless on the surface, making it easier to bypass security checks.


Cybersecurity researchers were first alerted to this malware through an app called "ComeCome," which was discovered on Android and iOS. Subsequent investigations revealed several other apps that were also infected. While these kinds of attacks have occurred before, this is the first time a stealer has been discovered in Apple's App Store, debunking the notion that iOS is immune to the threats posed by malicious apps.

While they couldn't confirm whether the infection resulted from a supply chain attack or intentional actions by the developers, the analysts noted that some apps, such as a food delivery services, seemed legitimate. However, others were designed to deceive victims, as evidenced by several AI-powered "messaging apps" created by the same malicious developer.

Following the discovery, Google and Apple have removed the affected apps from their respective stores. You may need to remove the infected apps from your smartphone too. This incident emphasizes the importance of heightened vigilance; merely downloading apps from the official App stores is no guarantee of safety.

If you own an Android device, only grant access to your gallery to trusted apps, and take a moment to review your gallery for any screenshots or images containing sensitive information, like passwords and seed phrases. You can follow similar steps in your Photos app if you own an iPhone. Additionally, consider using a reliable and up-to-date antivirus solution.