Apple and Google have pulled as many as 20 apps from their respective app stores after security researchers found the apps were carrying data-stealing malware for almost a year.
Security researchers at Kaspersky said the malware, dubbed SparkCat, has been active since March 2024. Initially, the researchers found the malicious framework within a food delivery app used in the United Arab Emirates and Indonesia but later found the malware on 19 other, unrelated apps, which they say were cumulatively downloaded more than 242,000 times through Google’s Play Store.
Using code that’s designed to capture text visible on the user’s display — known as optical character recognition (OCR) — researchers found the malware scanned the image galleries on victim’s devices for keywords to find recovery phrases for cryptocurrency wallets across various languages, including English, Chinese, Japanese, and Korean.
By using the malware to capture a victim’s recovery phrases, attackers could gain complete control over a victim’s wallet and steal their funds, the researchers found.
The malware could also enable the extraction of personal information from screenshots, such as messages and passwords, the researchers said.
Upon receiving the report from the researchers, Apple pulled the compromised apps from the App Store last week, followed by Google.
“All of the identified apps have been removed from Google Play, and the developers have been banned,” Google spokesperson Ed Fernandez told TechCrunch.
Google’s spokesperson also confirmed that Android users were protected from known versions of this malware through the in-built Google Play Protect security feature.
Apple did not respond to requests for comment.
Kaspersky spokesperson Rosemarie Gonzales told TechCrunch that while the reported apps were pulled from the official app stores, the company’s telemetry data suggested that the malware was also available from other websites and non-official app stores.
