Crypto-Stealing Wallets Make Their Way Into the App Stores

Malicious apps designed to steal cryptocurrency have made their way into Apple’s App Store and Google Play, marking the first known case of such malware successfully bypassing Apple’s strict security review process.

According to cybersecurity firm Kaspersky, which first reported the findings, the malware, named SparkCat, uses optical character recognition (OCR) technology to scan users’ photo galleries for sensitive information such as crypto wallet passwords and recovery phrases. Once detected, these credentials are sent to attackers, allowing them to gain unauthorized access to victims’ digital wallets.

Kaspersky’s report revealed that SparkCat operates by embedding malicious code within legitimate-looking apps. When a user attempts to use chat support within the infected app, a request is triggered to access the device’s photo gallery. If permission is granted, the malware scans images for text that could contain crypto wallet details.

The Verge reported that two AI-powered chat apps, WeTink and AnyGPT, as well as a food delivery app called ComeCome, were among those found carrying the malware. These apps remain available for download, raising concerns about Apple and Google’s ability to detect and remove threats before they reach users.

Forbes further elaborated on the scale of the issue, noting that the infected apps have been downloaded over 242,000 times from Google Play alone. The report emphasized that this incident marks an evolution in crypto-related cyber threats, as attackers previously relied on clipboard-based malware that intercepted copied text. “The Trojan is particularly dangerous because nothing gives out a malicious implant inside the application,” Kaspersky researchers explained. “The permissions requested by it can be used in the main functionality of the application or seem to be seemingly harmless, and the malware works quite secretly.”

The attack is not limited to a specific region, with reports of the malware affecting users in multiple countries, including the UAE and Indonesia. Kaspersky found that SparkCat uses different OCR models to recognize text in various languages, including English, Chinese, Japanese, and Korean.

Neither Apple nor Google has commented on the discovery. Cybersecurity experts warn this is part of a broader trend, with a recent report highlighting hackers using fake meeting apps to target Web3 professionals. These scams, disguised as Zoom or Teams clones, install backdoors to steal crypto assets. Users are urged to delete suspicious apps, avoid storing wallet credentials in photo galleries, and use password managers or offline storage to protect sensitive data. As malware threats evolve, even tightly controlled app stores remain vulnerable.