Screenshot-reading malware cracks iPhone security for the first time

By Nadeem Sarwar Published February 5, 2025

In the realm of smartphones, Apple’s ecosystem is deemed to be the safer one. Independent analysis by security experts has also proved that point repeatedly over the years. But Apple’s guardrails are not impenetrable. On the contrary, it seems bad actors have managed yet another worrying breakthrough.

As per an analysis by Kaspersky, malware with Optical Character Recognition (OCR) capabilities has been spotted on the App Store for the first time. Instead of stealing files stored on a phone, the malware scanned screenshots stored locally, analyzed the text content, and relayed the necessary information to servers.

The malware-seeding operation, codenamed “SparkCat,” targeted apps seeded from official repositories — Google’s Play Store and Apple’s App Store — and third-party sources. The infected apps amassed roughly a quarter million downloads across both platforms.

Interestingly, the malware piggybacked atop Google’s ML Kit library, a toolkit that lets developers deploy machine learning capabilities for quick and offline data processing in apps. This ML Kit system is what ultimately allowed the Google OCR model to scan photos stored on an iPhone and recognize the text containing sensitive information.

But it seems the malware was not just capable of stealing crypto-related recovery codes. “It must be noted that the malware is flexible enough to steal not just these phrases but also other sensitive data from the gallery, such as messages or passwords that might have been captured in screenshots,” says Kaspersky’s report.

Among the targeted iPhone apps was ComeCome, which appears to be a Chinese food delivery app on the surface, but came loaded with a screenshot-reading malware. “This is the first known case of an app infected with OCR spyware being found in Apple’s official app marketplace,” notes Kaspersky’s analysis.

It is, however, unclear whether the developers of these problematic apps were engaged in embedding the malware, or if it was a supply chain attack. Irrespective of the origin, the whole pipeline was quite inconspicuous as the apps seemed legitimate and catered to tasks such as messaging, AI learning, or food delivery. Notably, the cross-platform malware was also capable of obfuscating its presence, which made it harder to detect.

The primary objective of this campaign was extracting crypto wallet recovery phrases, which can allow a bad actor to take over a person’s crypto wallet and get away with their assets. The target zones appear to be Europe and Asia, but some of the hotlisted apps appear to be operating in Africa and other regions, as well.