Dangerous virus found on iPhones and Android devices: Protect your photos!

What we know about virus

Malicious apps target the detection of recovery phrases for cryptocurrency wallets, allowing attackers to gain access to Bitcoin and other types of cryptocurrencies.

These apps include a malicious module that uses an OCR plugin based on the Google ML Kit library to recognize text in images stored in the device's memory. If the app detects a screenshot containing cryptocurrency wallet data, it sends it to a server accessible to the attackers.

SparkCat has been active since March 2024. Previously, similar malware was detected on Android devices and PCs, but it has now spread to iOS as well.

Malicious apps, including ComeCome, WeTink, and AnyGPT, remain available on the App Store. It is unclear whether the infection results from deliberate actions by developers or is related to a supply chain attack.

Upon installation, infected apps request permission to access the user's photos. If granted, the OCR module analyzes the images for relevant text. So far, these apps are targeting users in Europe and Asia.

Although the attackers' initial goal is to steal cryptocurrency data, the malware can also be used to extract other confidential information from screenshots, including passwords.

Similar malicious apps were also found in the Google Play Store, but iOS device owners traditionally consider their platform more secure from such threats.

Apple checks all apps before releasing them on the App Store, but the appearance of malicious apps indicates failures in the app review process. In this case, the apps do not exhibit obvious Trojan-like behavior, and the permissions they request seem justified for their primary functionality.

To reduce the risk of such attacks, users are advised to avoid storing screenshots containing confidential information, such as recovery phrases for cryptocurrency wallets, in their Photo Library.

Read also about how to detect and prevent phone hacks.