{"id":46661,"date":"2025-02-07T16:43:46","date_gmt":"2025-02-07T21:43:46","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=46661"},"modified":"2025-02-07T16:43:46","modified_gmt":"2025-02-07T21:43:46","slug":"screenshot-reading-malware","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/02\/07\/screenshot-reading-malware\/","title":{"rendered":"Screenshot-Reading Malware"},"content":{"rendered":"

Wes Davis<\/a>:<\/p>\n

Apps distributed through both Apple and Google’s app stores are hiding malicious screenshot-reading code that’s being used to steal cryptocurrency, the cybersecurity software firm Kaspersky reported today<\/a>. It’s the “first known case” of apps infected with malware that uses OCR tech to extract text from images making it into Apple’s App Store, according to a blog post detailing the company’s findings.<\/p>

Kaspersky says it discovered the code from this particular malware campaign, which it calls “SparkCat,” in late 2024 and that the frameworks for it appear to have been created in March of the same year.<\/p><\/blockquote>\n\n

Via Guy English<\/a>:<\/p>\n

This is the kind of thing that makes tech so annoying these days. What’s a platform to do? At the scale of adoption of these devices (both Apple and Android) there are countless people who’d not think twice about agreeing to photo access without thinking for a moment of the screenshot with their credentials they saved off a long time ago. The only solution I can think of is only using system UI to pick what apps see. Which we have now. But that’s kind of annoying too.<\/p><\/blockquote>\n\n

Bruce Schneier<\/a>:<\/p>\n

\n

That’s a tactic I have not heard of before.<\/p>\n<\/blockquote>\n\n

Juli Clover<\/a>:<\/p>\n

Kaspersky located several App Store apps with OCR spyware, including ComeCome, WeTink, and AnyGPT, but it is not clear if the infection was a “deliberate action by the developers” or the “result of a supply chain attack.”<\/p>

[…]<\/p>

Apple checks over every app in the App Store , and a malicious app marks a failure of Apple’s app review process. In this case, there does not appear to be an obvious indication of a trojan in the app, and the permissions that it requests appear to be needed for core functionality.<\/p><\/blockquote>\n\n

Juli Clover<\/a>:<\/p>\n

Apple pulled the apps from the App Store.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"

Wes Davis: Apps distributed through both Apple and Google’s app stores are hiding malicious screenshot-reading code that’s being used to steal cryptocurrency, the cybersecurity software firm Kaspersky reported today. It’s the “first known case” of apps infected with malware that uses OCR tech to extract text from images making it into Apple’s App Store, according […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2025-02-07T21:43:49Z","apple_news_api_id":"53edfd86-f4fb-469a-ad4c-a79e579cd84d","apple_news_api_modified_at":"2025-02-07T21:43:49Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AU-39hvT7RpqtTKeeV5zYTQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[248,249,91,914,784,31,2586,26,504,622,355,282],"class_list":["post-46661","post","type-post","status-publish","format-standard","hentry","category-technology","tag-android","tag-androidapp","tag-appstore","tag-bitcoin","tag-google-play-store","tag-ios","tag-ios-18","tag-iosapp","tag-malware","tag-ocr","tag-privacy","tag-screenshots"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/46661","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=46661"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/46661\/revisions"}],"predecessor-version":[{"id":46662,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/46661\/revisions\/46662"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=46661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=46661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=46661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}