Crypto stealing apps in the Apple App Store: What to do if you install them?

Researchers at Kaspersky Lab have found a malicious software development kit (SDK)/framework embedded in several apps in the Apple App Store and Google Play Store that’s designed to steal cryptocurrency wallet recovery phrases using optical character recognition (OCR) plugins.

As per the Kaspersky researchers, the infected apps were downloaded over 242,000 times from Google Play Store but it’s the first time they were found in the Apple App Store. The researchers have named the malware “SparkCat” and claim that it has been active since March 2024.

“The Android malware module decrypted and launched an OCR plugin based on the Google ML Kit library, which it used to recognize text in images in the device gallery. Using keywords received from C2 (Command and Control comms channel used by hackers to remotely control a device), the Trojan sent images to the command server. The iOS malware module was similarly designed and also used the Google ML Kit library for OCR.”, says the Kaspersky Lab report. The iOS malware also uses the ML Kit interface.

In case you have installed such an infected app, Kaspersky researchers recommend uninstalling it and not using it “until a patch is released that removes the malicious functionality.” They also advise not to store screenshots with sensitive information like "recovery phrases for access to cryptocurrency wallets" in the device gallery.