DIGITAL LIFE

Warning Issued For Millions Of iPhone And Android Users Over Screenshot-Scanning Malware

Malware on iPhones and Android devices is often associated with downloading third-party apps from unofficial sources. Cybercriminals, however, are also able to hide malware within apps found at official sources, like the iOS App Store and Google Play Store. These pieces of malware are often designed to target sensitive information captured in screenshots.

A recent report revealed that several infected apps contain a malicious software development kit (SDK) aimed at stealing recovery phrases for cryptocurrency wallets. The malware, believed to have been active since March 2024, operates similarly on Android and iOS devices, secretly utilizing Google's ML Kit for optical character recognition (OCR). It scans the victim's image gallery for text and sends back images with keywords of interest to the attackers. This enables the attacker to extract sensitive information from the device without the victim's knowledge. Unfortunately, the malware has been downloaded over 242,000 times on Google Play alone.

This malware, named "SparkCat," uses Rust, a programming language not typically associated with mobile app development. As a result, it is more difficult to detect nefarious code, as security tools may not be programmed to look for or recognize malware written in the language. Furthermore, the permissions it requests may seem necessary for they payload app's core functionality or appear harmless on the surface, making it easier to bypass security checks.

Cybersecurity researchers were first alerted to this malware through an app called "ComeCome," which was discovered on Android and iOS. Subsequent investigations revealed several other apps that were also infected. While these kinds of attacks have occurred before, this is the first time a stealer has been discovered in Apple's App Store, debunking the notion that iOS is immune to the threats posed by malicious apps.

While they couldn't confirm whether the infection resulted from a supply chain attack or intentional actions by the developers, the analysts noted that some apps, such as a food delivery services, seemed legitimate. However, others were designed to deceive victims, as evidenced by several AI-powered "messaging apps" created by the same malicious developer.

Following the discovery, Google and Apple have removed the affected apps from their respective stores. You may need to remove the infected apps from your smartphone too. This incident emphasizes the importance of heightened vigilance; merely downloading apps from the official App stores is no guarantee of safety.

If you own an Android device, only grant access to your gallery to trusted apps, and take a moment to review your gallery for any screenshots or images containing sensitive information, like passwords and seed phrases. You can follow similar steps in your Photos app if you own an iPhone. Additionally, consider using a reliable and up-to-date antivirus solution.

Comment from Clive Robertson: Like the photographing of peoples keys to have the “pining pattern” for making a 3D print, it’s a logical progression of technological developments.

Actually thinking about it for a moment what, actually “surprises me” is why it’s taken so long to happen…If you think back the first Home PC usable OCR goes back to the earliest days of “home scanners” back more than thirty years. Modern “Smart Devices” have thousands of times the capabilities in terms of CPU power and memory that even high end home PCs had thirty years ago.

So the obvious question would be, “Why has it taken so long to happen?” In some ways I would assume it’s not, but the need for it was so eclectic that there was no “mainstream need” amongst criminals of all varieties.

And for those that might such as “Security Services” would not go for “on device scanning” for two reasons,

1-Their victims were individually targeted and thus “Black-bagged”.

2-Their desire for secrecy would preclude the usage of such software to prevent it being found on a victims devices.

And for your more run of the mill criminal where the use of a “rubber hose” would look soft getting access to “in human memory” secrets would be given to some psycho or worse to do.

What has changed is the value of Crypto-Coins and the like, where knowing a “passphrase” anonymously enables a more sophisticated criminal time to not just take but launder / wash out the coins about as anonymously as they can.

Untill a year or so ago crypto-coins were of some value but not “go life in jail or the chair” value.

Now that is no longer the case, where even badly thought out petty almost “mugging” street level crime can get you hundreds of thousands if not millions of dollars faster than you could spend it.

Those with a little more thought can find “high value wallets” by looking on the blockchain. Many of those wallets would not have been set up in a way that would make the owner anonymous.

Which means that they and their mobile phones and similar Smart Devices are fairly easily traceable to slightly smarter criminals.

Getting access to those devices would almost be “trivial” as we know there are many companies in Israel / Italy and similar that specialise in “access for hire” to politicians and bureaucrats and two bit rent-a-cops all over the world.

So not only were all the pieces in place, a need to use them had surfaced, with in hindsight a not unexpected result.

Which leaves the obvious question for those with “valuable wallets” of, “How do you protect not just the wallet and yourself, but all your devices as well?” Whilst I can think of several ways, I’m just glad I don’t have.

1-A need to use them

2-Clean up an existing trail to me

But it does beg the further question of, “Now it exists, what will it be repurposed for next?” As some will know now E2EE is something Law Enforcement are going to have to give up on because the “Chinese have robbed us of NOBUS” they are going to want something else.

There are two options currently

1-Device side scanning

2-Back up third party storage.

We know Apple looked at device side scanning for CSAM finding, and got struck down by “user push back” when it became clear that it could scan for anything.

But we now find out Apple are getting attacked by the UK government over third party storage: https://www.bbc.com/news/articles/c20g288yldko

Put simply they demand access “anywhere in the world at any time” not only “no questions asked” but with significant penalties for not “jumping to it”.

mundophone