A recent article from 9To5Mac covers a report from Kaspersky researchers that identified malicious apps in both the Google Play and App Store, therefore impacting both Android and iPhone devices.
The iPhone app uses OCR to scan screenshots from the phone’s photos library. My immediate question was “does this only affect users who grant the app full access to their photos?”, as it would be pretty crazy to see a bypass to that blown for something so simple. Skimming through the report (most of it was about the Android version), I couldn’t see a mention of it, but it did mention the hide-in-plain-site nature of it to assist in passing the app store review and the user’s trust. If photos are utilized or meant to be taken by the app, it’s not a reach to say most users would be fine allowing it full access to their photo library.
Once identified, the app will retrieve the photo and send it to the attacker’s C2 server. Kaspersky found that the malware communicated using a protocol implementation in Rust that they didn’t recognize, which is interesting as back in 2024 I ran into a MacOS malware that was a very strange Rust / CPython combination, and I ended up giving up on it (I’m a hack @ reverse engineering).
I’ll end this with ways to most likely stay safe, since there doesn’t seem to be too much information other than Kaspersky’s report:
- Don’t store seed phrases / recovery codes as a screenshot
- This applies to recovery phrases for things like 2FA apps and password managers
- Don’t download random apps.
- Restrict the permissions of the apps you do download.
- Don’t allow full access to the photos library, don’t allow access to contacts, etc.
Past those things, there isn’t a whole lot a person can do to combat against malicious apps existing in the app store other than staying vigilant.
This is a collection of my cybersecurity notes & projects.
I graduated from Dakota State University with a MS in Cyber Defense & BS in Cyber Operations. Since then I've worked as a Malware Analyst with the U.S. Army Cyber Command, and am now a Web Application Security Consultant.
I'm a big fan of open security standards for applications and workflow automation when it comes to security testing. The easier it is to identify and replicate, the more secure everyone's apps can be! My other writings and projects are scattered across the web, but can be found in the links page.
Contact me: