Advanced Malware Discovered in App Store Apps: A New Threat to iPhone Security

Researchers Discover Apps On The App Store Infected With Advanced Malware That Reads Screenshots And Steals Sensitive Data, Calling It "The First Known Case"

Apple is very strict when it comes to the privacy and security of its users and their data. However, every now and then, an app goes through with a malicious intent to steal user data. Today, researchers at Kaspersky have reported that they have found a new malware in the apps downloaded through the App Store, which, according to them, is "the first known case." The malware in these apps can read your screenshots for key data, which breaches user privacy. The newly discovered malware is not limited to apps downloaded through the App Store, as it is also available on Android. Dmitry Kalinin and Sergey Puzan posted their work for Kaspersky, detailing screen-reading OCR malware in apps downloaded from the App Store and Play Store. On the iPhone, the malware scans the Photo Library for specific recovery phrases for crypto wallets. "This is the first known case of an app infected with OCR spyware being found in Apple's official app marketplace." This is how the duo explains how the malware works. The Android malware module would decrypt and launch an OCR plug-in built with Google's ML Kit library, and use that to recognize text it found in images inside the gallery. Images that matched keywords received from the C2 were sent to the server. The iOS-specific malicious module had a similar design and also relied on Google's ML Kit library for OCR. The report mentions various apps that are targeting users across various regions in Europe and Asia. A few of these apps are running the malware code without the knowledge of the developers, which could be why Apple's strict App Store guidelines could not catch it. We detected a series of apps embedded with a malicious framework in the App Store. We cannot confirm with certainty whether the infection was a result of a supply chain attack or deliberate action by the developers. Some of the apps, such as food delivery services, appeared to be legitimate, whereas others apparently had been built to lure victims. For example, we saw several similar AI-featured "messaging apps" by the same developer. The error bit in this situation is that a handful of these malware-struck apps are still available on the App Store, which can be downloaded right now. This includes apps like ComeCome, which is a food delivery app, along with AnyGPT and WeTink, which are AI chatbots. It remains to be seen how Apple will tackle the situation and if it will see fit to amend its App Store guidelines. We will keep you posted with more details, so do stick around.

Screenshot-reading malware cracks iPhone security for the first time

In the realm of smartphones, Apple's ecosystem is deemed to be the safer one. Independent analysis by security experts has also proved that point repeatedly over the years. But Apple's guardrails are not impenetrable. On the contrary, it seems bad actors have managed yet another worrying breakthrough. As per an analysis by Kaspersky, malware with Optical Character Recognition (OCR) capabilities has been spotted on the App Store for the first time. Instead of stealing files stored on a phone, the malware scanned screenshots stored locally, analyzed the text content, and relayed the necessary information to servers. Recommended Videos The malware-seeding operation, codenamed "SparkCat," targeted apps seeded from official repositories -- Google's Play Store and Apple's App Store -- and third-party sources. The infected apps amassed roughly a quarter million downloads across both platforms. Interestingly, the malware piggybacked atop Google's ML Kit library, a toolkit that lets developers deploy machine learning capabilities for quick and offline data processing in apps. This ML Kit system is what ultimately allowed the Google OCR model to scan photos stored on an iPhone and recognize the text containing sensitive information. Please enable Javascript to view this content But it seems the malware was not just capable of stealing crypto-related recovery codes. "It must be noted that the malware is flexible enough to steal not just these phrases but also other sensitive data from the gallery, such as messages or passwords that might have been captured in screenshots," says Kaspersky's report. Among the targeted iPhone apps was ComeCome, which appears to be a Chinese food delivery app on the surface, but came loaded with a screenshot-reading malware. "This is the first known case of an app infected with OCR spyware being found in Apple's official app marketplace," notes Kaspersky's analysis. It is, however, unclear whether the developers of these problematic apps were engaged in embedding the malware, or if it was a supply chain attack. Irrespective of the origin, the whole pipeline was quite inconspicuous as the apps seemed legitimate and catered to tasks such as messaging, AI learning, or food delivery. Notably, the cross-platform malware was also capable of obfuscating its presence, which made it harder to detect. The primary objective of this campaign was extracting crypto wallet recovery phrases, which can allow a bad actor to take over a person's crypto wallet and get away with their assets. The target zones appear to be Europe and Asia, but some of the hotlisted apps appear to be operating in Africa and other regions, as well.