Screenshot-scanning malware discovered on Apple App Store in first-of-its-kind attack

While I admit the App Store is a secure and tightly controlled ecosystem, it cannot completely shield you. Security researchers have found that hackers are targeting several apps on the App Store to spread malware that steals information from screenshots saved on a device. 

One of its standout features is Optical Character Recognition. Instead of stealing stored files, it scans screenshots saved on the device, extracts text and sends the information to remote servers.

Once installed, the malware operates stealthily, often activating only after a period of dormancy to avoid raising suspicion. It employs encrypted communication channels to send stolen data back to its operators, making it difficult to trace. Plus, it spreads through deceptive updates or hidden code within app dependencies, an approach that helps it evade initial security screenings by app store review teams.

The scope of stolen information is alarming. This malware primarily targets crypto wallet recovery phrases but is also capable of exfiltrating login credentials, payment details, personal messages, location data and even biometric identifiers. Some versions are designed to harvest authentication tokens, allowing attackers to access accounts even if users change their passwords.

The apps serving as malware carriers include ComeCome, ChatAi, WeTink, AnyGPT and more. These range from productivity tools to entertainment and utility apps. In some cases, malicious developers create these apps with full knowledge of the malware's purpose. In others, the issue appears to be a supply chain vulnerability, where legitimate developers unknowingly integrate compromised SDKs or third-party services that introduce malicious code into their applications.

We reached out to Apple for a comment but did not hear back before our deadline. 

Apple has removed the 11 iOS apps mentioned in Kaspersky's report from the App Store. Furthermore, they discovered that these 11 apps shared code signatures with 89 other iOS apps, all of which had been previously rejected or removed for violating Apple's policies, resulting in the termination of their developer accounts.

Apps requesting access to user data such as Photos, Camera or Location must provide relevant functionality or face rejection. They must also clearly explain their data usage when prompting users for permission. iOS privacy features ensure users always control whether their location information is shared with an app. Also, starting in iOS 14, the PhotoKit API - which allows apps to request access to a user's Photos library - added additional controls to let users select only specific photos or videos to share with an app instead of providing access to their entire library. 

The App Store Review Guidelines mandate that developers are responsible for ensuring their entire app, including ad networks, analytics services and third-party SDKs, complies with the guidelines. Developers must carefully review and choose these components. Apps must also accurately represent their privacy practices, including those of the SDKs they use, in their privacy labels.

In 2023, the App Store rejected over 1.7 million app submissions for failing to meet its stringent privacy, security and content standards. It also rejected 248,000 app submissions found to be spam, copycats or misleading and prevented 84,000 potentially fraudulent apps from reaching users.

A Google spokesperson tells CyberGuy: 

However, it is important to note that Google Play Protect may not be enough. Historically, it isn't 100% foolproof at removing all known malware from Android devices. Here's why:

2. Stick to trusted developers and well-known apps: Even though malware has been found in official app stores, users can still minimize their risk by downloading apps from reputable developers with a long track record. Before installing an app, check its developer history, read multiple reviews and look at the permissions it requests. If an app from an unknown developer suddenly gains popularity but lacks a strong review history, approach it with caution.

5. Be wary of apps that promise too much: Many malware-infected apps lure users by offering features that seem too good to be true - such as free premium services, extreme battery optimizations or AI-powered functionality that appears unrealistic. If an app's claims sound exaggerated or its download numbers skyrocket overnight with questionable reviews, it's best to avoid it. Stick to apps with a transparent development team and verifiable functionalities. 

The new malware campaign highlights the need for stricter vetting processes, continuous monitoring of app behavior post-approval and greater transparency from app stores regarding security risks. While Apple and Google have removed the malicious apps upon detection, the fact that they made it onto the platform in the first place exposes a gap in the existing security framework. As cybercriminals refine their methods, app stores must evolve just as quickly or risk losing the trust of the very users they claim to protect.

Follow Kurt on his social channels:

Answers to the most-asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com. All rights reserved.