For the first time, malware with screen reading code was discovered in iOS apps.

According to a Kaspersky research, malware that contains code for reading screenshot information has been discovered in dubious App Store apps for the first time.

The spyware, known as "SparkCat," has OCR capabilities that allow it to identify private data from screenshots captured by iPhone users. The applications that Kaspersky found are designed to find crypto wallet recovery words, which would enable hackers to steal bitcoin and other cryptocurrencies.


Kaspersky claims that SparkCat has been operational since approximately March 2024. In 2023, similar virus was found to target PCs and Android devices, although it has since expanded to iOS. ComeCome, WeTink, and AnyGPT were among the App Store apps that Kaspersky found to include OCR spyware, but it's unclear whether the infection was the "deliberate action by the developers" or the "result of a supply chain attack."

After being downloaded, the malicious apps request permission to see the user's photos. If authorised, they then use the OCR feature to search through the photos for pertinent text. A number of the apps, which appear to be aimed at iOS users in Europe and Asia, are still available in the App Store.

Although the apps are designed to steal cryptocurrency data, Kaspersky claims that the virus is so adaptable that it could also be used to access passwords and other data that was taken in screenshots. Although iOS users frequently assume their devices would be malware-free, Android apps—including those from the Google Play Store—are also affected.

Every software in the software Store is vetted by Apple, and a malicious app indicates that the company's app review procedure isn't working. In this instance, there doesn't seem to be any overt signs of a trojan in the application, and the rights it asks for seem necessary for basic operation.

To protect themselves from this type of attack, Kaspersky advises users to refrain from keeping screenshots in their Photo Library that include sensitive information, such as crypto wallet recovery phases.

The Kaspersky website provides additional details about the malware and a complete list of affected iOS frameworks.