Apple and Google Remove Malicious Apps

Data-Stealing Malware Removed from Apple and Google App Stores

Apple and Google have removed a total of 20 applications from their app stores. This action was taken following the discovery of data-stealing malware within these apps by security researchers.

Malware Operation and Timeline

The malware, identified as SparkCat, has been operational since March 2024. Initial detection occurred within a food delivery application utilized in the United Arab Emirates and Indonesia.

Further investigation revealed the presence of this malicious framework in an additional 19 unrelated applications. These apps had collectively amassed over 242,000 downloads from the Google Play Store.

How the Malware Functions

SparkCat employs optical character recognition (OCR) technology. This allows it to capture text displayed on the user’s screen.

Researchers discovered the malware scanned victims’ image galleries for specific keywords. These keywords were related to cryptocurrency wallet recovery phrases, supporting multiple languages including English, Chinese, Japanese, and Korean.

Impact on Cryptocurrency Wallets

By successfully capturing a victim’s recovery phrase, attackers could obtain full control of their cryptocurrency wallet. This would enable the theft of associated funds.

The malware also possesses the capability to extract sensitive personal information from screenshots. This includes messages and stored passwords.

Responses from Apple and Google

Following notification from the security researchers, Apple removed the affected applications from the App Store last week.

Google subsequently followed suit, removing the compromised apps from the Play Store and banning the developers involved. Google spokesperson Ed Fernandez confirmed this action to TechCrunch.

Google Play Protect, the built-in security feature for Android, was also confirmed to protect users from known variants of the malware.

Apple has not yet issued a public statement regarding the incident.

Wider Distribution Concerns

According to Kaspersky spokesperson Rosemarie Gonzales, the malware was not limited to official app stores. Telemetry data indicates its availability through alternative websites and unofficial app stores as well.

This suggests a broader potential reach for the SparkCat malware beyond the applications removed from Apple and Google platforms.