Apple and Google removed 20 apps from their respective app stores after security researchers discovered that they contained data-stealing malware that had been active for nearly a year.
Cybersecurity firm Kaspersky identified the malware, named SparkCat, which has been operational since March 2024. Initially, researchers detected the malicious framework within a food delivery app used in the United Arab Emirates and Indonesia. Further investigation revealed that 19 additional, unrelated apps were infected. These apps were collectively downloaded over 242,000 times from Google’s Play Store.
The malware employs optical character recognition technology to scan text visible on users’ screens. Researchers found that it targeted image galleries on victims’ devices, searching for keywords related to cryptocurrency wallet recovery phrases in multiple languages, including English, Chinese, Japanese, and Korean.
By capturing recovery phrases, attackers could seize complete control over victims’ cryptocurrency wallets and steal their funds. The malware also allowed for the extraction of personal data from screenshots, including messages and passwords, the researchers noted.
Following the report from Kaspersky, Apple removed the affected apps from its App Store last week, with Google following suit shortly after.
“All of the identified apps have been removed from Google Play, and the developers have been banned,” Google spokesperson Ed Fernandez told TechCrunch.
Google also confirmed that Android users were protected from known versions of this malware through the in-built Google Play Protect security feature. Apple has yet to respond to requests for comment.
Kaspersky spokesperson Rosemarie Gonzales warned that while the infected apps have been pulled from official stores, telemetry data indicated the malware remains accessible through third-party websites and unofficial app stores.
