Detect screen reading malware in App Store: Discover the apps that threaten your iPhone's safety

Detect screen reading malware in App Store: Discover the apps that threaten your iPhone’s safety

Cybersecurity company researchers Kaspersky have reported the presence, for the first time in the App Storeof a new type of stealer. This is a malicious software specifically designed for Extract confidential information from a devicebut in this case using technology OCR (Optical Character Recognition) for Extract image text and then send the information to an external server.

Sparkcat is focused on obtaining Wallet recovery phrases from cryptocurrenciesalso known as ‘mnemonic’, which can be used to recover access to those of the victims, although it also extracts another type of data.

In a Kaspersky blog post, the researchers explain that they discovered the campaign with Sparkcat At the end of 2024with a probable creation in March of that same year.

This is how Sparkcat works

Malware begins to do its job When the user starts contact with the chat support of the application that contains sparkcat. Then request A permission to access the user’s photo gallery. Once granted, the malware requests the parameters to process the OCR results and also a list of keywords to an external server.

Next, scan the images In search of screenshots screenshots of cryptographic wallets or recovery phrases. Once the images are filtered following the parameters received, they are sent to the attackers who can use them to access wallets and steal cryptocurrencies.

Sparkcat is flexible, you can steal other confidential data from the gallery, such as messages or other types of passwords captured on screen And also collects device information.

The origin of the infection is not clear, Kaspersky says that he cannot confirm with certainty that the infection It was the result of an attack on the supply chain or a deliberate action by the developers‘.

Apps with Sparkcat

Researchers are not specific to infected apps. They illustrate the report with images of some of those infected with Sparkcat in the App Store. They appear Wetink, ANYGPT, Chatai and Come eat; The latter also available, including malware, to Android.

Apps for infected with sparkcat. Kaspersky.

The report does indicate a long list of Bundle Ids or packaging identifiers embedded in malwareallowing Sparkcat to identify the specific application in which it is being executed and thus adapt their behavior. They are 10 on Android and 43 in iOS. The data allows Identify apps that could be infected, when their name is included in the complete identifier. The complete list is as follows:

Android applications:

  • com.crownplay.vanity.address.
  • com.atvnewsonline.app.
  • com.bintiger.mall.android.
  • com.websea.exchange.
  • org.safew.messenger.
  • org.safew.messenger.store.
  • com.tonghui.paybank.
  • com.bs.Feifubao.
  • com.sapp.catai.
  • com.sapp.starcoin.

IOS applications:

  • im.pop.app.ios.messenger.
  • com.hkatv.ios.
  • com.atvnewsonline.app.
  • Io.zorixchange.
  • com.yykc.vpnjsq.
  • com.llyy.au.
  • com.star.har91vnlive.
  • com.jhgj.jinhulalaab.
  • com.qingwa.qingwa88lalaa.
  • com.blockchain.uttool.
  • com.wukongwaimai.client.
  • com.unicornsoft.unicornhttpspHorios.
  • Staffs.mil.coinpark.
  • com.lc.btdj.
  • com.baijia.waimai.
  • com.ctc.jirepaidui.
  • com.ai.gbet.
  • App.nicegram.
  • com.blockchain.ogiut.
  • com.blockchain. 98ut.
  • com.dream.towncn.
  • com.MJB.hardwood.test.
  • com.galaxy6688.ios.
  • njiujiu.vptest.
  • com.qqt.jykj.
  • com.ai.sport.
  • com.feidu.pay.
  • APP.IKUN277.TEST.
  • com.usdtone.usdtoneapp2.
  • com.cgapp2.wallet0.
  • com.bbydqb.
  • com.yz.byteswap.native.
  • Jiujiu.vptest.
  • com.wetink.chat.
  • com.websea.exchange.
  • com.customize.authenticator.
  • im.token.app.
  • com.mjb.worldminer.new.
  • com.kh-super.ios.supeppp.
  • com.thedgptai.event.
  • com.yz.eternal.new.
  • xyz.starohm.chat.
  • com.crownplay.luckyaddress1.