Apps distributed through both Apple and Google’s app stores are hiding malicious screenshot-reading code that’s being used to steal cryptocurrency, the cybersecurity software firm Kaspersky reported today. It’s the “first known case” of apps infected with malware that uses OCR tech to extract text from images making it into Apple’s App Store, according to a blog post detailing the company’s findings.

Kaspersky says it discovered the code from this particular malware campaign, which it calls “SparkCat,” in late 2024 and that the frameworks for it appear to have been created in March of the same year.

On iOS and in some Android instances, the malware works by triggering a request to access users’ photo galleries when they attempt to use chat support within the infected app. Once permission is granted, it uses Google OCR tech, which lets it decipher text found in photos, to look for things like screenshots of crypto wallet passwords or recovery phrases. The software then sends any images it finds back to the attackers, who can then use the info to access the wallets and steal crypto.

Kaspersky says it can’t “confirm with certainty the infection was a result of a supply chain attack or deliberate action by the developers.” The company names two AI chat apps that seem to have been created for the campaign and appear to still be available on the App Store, called WeTink and AnyGPT. Additionally, Kaspersky found the malicious code in a legitimate-seeming food delivery app called ComeCome, which you can also still download.

Neither Apple nor Google immediately responded to The Verge’s request for comment.

Apps distributed through both Apple and Google’s app stores are hiding malicious screenshot-reading code that’s being used to steal cryptocurrency, the cybersecurity software firm Kaspersky reported today. It’s the “first known case” of apps infected with malware that uses OCR tech to extract text from images making it into Apple’s App Store, according to a blog post detailing the company’s findings.

Kaspersky says it discovered the code from this particular malware campaign, which it calls “SparkCat,” in late 2024 and that the frameworks for it appear to have been created in March of the same year.

On iOS and in some Android instances, the malware works by triggering a request to access users’ photo galleries when they attempt to use chat support within the infected app. Once permission is granted, it uses Google OCR tech, which lets it decipher text found in photos, to look for things like screenshots of crypto wallet passwords or recovery phrases. The software then sends any images it finds back to the attackers, who can then use the info to access the wallets and steal crypto.

Kaspersky says it can’t “confirm with certainty the infection was a result of a supply chain attack or deliberate action by the developers.” The company names two AI chat apps that seem to have been created for the campaign and appear to still be available on the App Store, called WeTink and AnyGPT. Additionally, Kaspersky found the malicious code in a legitimate-seeming food delivery app called ComeCome, which you can also still download.

Neither Apple nor Google immediately responded to The Verge’s request for comment.