Information on new "SparkCat" malware infesting a small number of iOS apps was shared yesterday by Kaspersky, and shortly after the report came out, Apple said that it pulled the offending apps from its App Stores in various countries.
Some of the apps that had hidden malware included ComeCome, WeTink, and AnyGPT. 11 apps were removed in total, but when removing the apps, Apple says that it found another 89 with the same code that had been previously rejected or removed from the App Store for violating Apple's fraud policies. When an app is removed for fraud, Apple terminates the associated developer account.
As outlined by Kaspersky, the apps used a malicious framework with OCR capabilities designed to suss out sensitive information in images and screenshots stored on iPhones. Recovery phrases for crypto wallets were a specific target, with attackers aiming to steal bitcoin and other cryptocurrency, but the malware could target other phrases like passwords.
By default, Apple blocks access to a user's photos, so the apps would have needed express user consent to operate. If given permission to access a Photo Library, the apps could scan through the images to look for key phrases outlined by the attackers. If an image with a relevant phrase was found, it was uploaded to a remote server. Kaspersky found that the malware was likely targeting iOS users in Europe and Asia.
It is worth noting that Apple added granular control over the images that an app is able to access back in iOS 14, and there is an option to provide access to a limited number of images rather than an entire library. It is a good idea to avoid apps that seem sketchy, and to refrain from giving an app access to all of your images.
Apple also provides an App Privacy Report that outlines all of the instances when an app accesses sensitive data like location, images, camera, and microphone. The App Private Report can be found in the Privacy section of the Settings app.
