Even Apple’s tightly controlled App Store isn’t immune to surprises. Security researchers have uncovered what may be a first: malware inside iOS App Store apps that can read and extract text from screenshots—a technique previously seen in Android malware.
This malware can analyze photos from the gallery as well as capture and process new screenshots. The attacks appear to be strategically timed to exploit the fact that many screenshot prevention techniques no longer work on newer iOS versions.
The discovery of SparkCat malware could mark a turning point in iOS security. By leveraging Optical Character Recognition (OCR), SparkCat supposedly can steal sensitive information directly from end users’ photo galleries, targeting crypto wallets, passwords, and other valuable credentials. This malware doesn’t need a jailbreak or an exploit—it merely needs permission to access your photos, which many users grant without a second thought.
“Malware that captures screenshots, extracts text, and processes images with AI or OCR has been a cybercriminal tool for years, but iOS largely avoided this threat—until now,” said Dr. Klaus Schenk, Head of Security and Threat Research, Verimatrix. “While Apple’s App Store sees far less malware than Google Play, no platform is immune. The fact that even security-critical banking apps have been found to allow screenshots should raise concerns, especially as iOS threats grow more sophisticated.”
Unlike traditional iOS malware that relies on system exploits, SparkCat takes a more subtle approach: manipulating legitimate permissions.
When users open chat support within an infected app, they’re prompted to grant access to their photo gallery. Once access is granted, SparkCat scans screenshots using OCR to extract sensitive text and sends it to attackers. Despite Apple’s strong App Store security, which prevents most malware from reaching official distribution channels, this particular threat managed to slip through undetected.
Fast removal doesn’t mean the threat is gone
It didn’t take long for Apple and Google to pull these malicious apps once security researchers blew the whistle. While Apple’s App Store is generally more secure than open ecosystems, malware still finds ways to sneak through before detection happens. The short window of exposure is enough for thousands—or even millions—of downloads, making prevention just as critical as response.
A supply-chain attack? The bigger threat at play
One overlooked detail in the original security research is that this may not just be a case of malware slipping past App Store review. Research suggests that some infected apps may have been compromised through a supply-chain attack. Early versions of the malicious SDK used in these apps contained unencrypted API endpoints and a hardcoded command-and-control (C2) address, meaning its capabilities were visible in plaintext.
As time went on, threat actors evolved their tactics—newer versions of the SDK began obfuscating critical strings, making the malware harder to detect. This highlights a key issue: app security isn’t just about scanning final app builds—it’s about securing the development process from the start.
What this means for iOS developers
Supply-chain security is an area that cannot be ignored. Many developers unknowingly integrate third-party SDKs without realizing they may have been compromised earlier in their lifecycle. This attack proves that:
Early versions of malicious SDKs can be detected using standard security scans.
Newer, obfuscated versions can slip past keyword-based detection, which is why more advanced runtime monitoring is critical.
For those questioning whether supply-chain protection on iOS is effective, this case offers both a warning and validation. While early-stage malware was detectable, the more advanced versions adapted—and that’s the real risk developers need to prepare for.
A growing attack surface?
SparkCat isn’t emerging in isolation—it’s part of a larger trend. Recent iOS exploits that XTD Labs has written about, such as Operation Triangulation, which used a zero-click iMessage exploit to install spyware silently, and GoldPickaxe, which weaponized biometric data for deepfake identity fraud, show that iOS is becoming more and more vulnerable to cyberattacks.
Compounding this problem is Apple’s ongoing regulatory battle. With the EU’s Digital Markets Act (DMA) forcing Apple to open its ecosystem to third-party app stores and sideloading, the attack surface for iOS apps may grow. While Apple has implemented safeguards, opening the gates to alternative app stores inevitably introduces new security risks. More malware-laden “bad apps” could slip through less rigorous review processes, and malicious actors could exploit weaker security policies in third-party ecosystems to bypass traditional iOS defenses altogether. Whether Apple’s safeguards will be enough remains to be seen.
The combination of sophisticated malware like SparkCat and increasing regulatory-driven ecosystem changes paints an unsettling picture for iOS security moving forward. Mobile apps, particularly those in finance, healthcare, and cryptocurrency, face heightened risks, and developers can no longer afford to assume Apple’s built-in defenses will be enough. Side note: iOS is still much more secure than Android.
iOS app developer defense tips
Developers should consider proactively enhancing their iOS app defenses:
Implement advanced app shielding & code obfuscation: Strengthen security by making it harder for attackers to reverse-engineer apps or inject malicious code. This also protects critical functions like screenshot detection.
Monitor and detect runtime threats: Deploy security solutions or integrate custom code to detect suspicious behaviors, such as unauthorized screenshot scanning or abnormal API requests.
Update screenshot detection & prevention: Ensure code that detects and blocks screenshots is compatible with the latest iOS versions.
Educate users on app permissions: Many users unknowingly grant unnecessary permissions. Developers should design UI/UX flows that promote permission awareness and alert users to potential security risks.
Regularly audit third-party SDKs: As this case proves, malicious SDKs are a growing supply-chain threat. Be sure to vet and audit third-party libraries, not just the latest, and use runtime protection to detect unauthorized connections.
App defense isn’t Apple’s job alone
Attackers don’t care about iOS security roadmaps—they look for gaps, weak permissions, and ways to exploit new features or user behavior. If an SDK is compromised before it even reaches the App Store, your app is already in danger. Right now, someone is already working on a way to break in. When it happens, will you look back knowing you could have stopped it?
Protect your digital world
Don’t miss out on the latest threats, vulnerabilities, and intelligence reports. Join our newsletter to stay one step ahead in the ever-evolving world of cybersecurity for mobile apps and connected devices.
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Commentary
Screenshot-Reading Malware Jumps the iOS Shark
Table of Contents
Even Apple’s tightly controlled App Store isn’t immune to surprises. Security researchers have uncovered what may be a first: malware inside iOS App Store apps that can read and extract text from screenshots—a technique previously seen in Android malware.
This malware can analyze photos from the gallery as well as capture and process new screenshots. The attacks appear to be strategically timed to exploit the fact that many screenshot prevention techniques no longer work on newer iOS versions.
The discovery of SparkCat malware could mark a turning point in iOS security. By leveraging Optical Character Recognition (OCR), SparkCat supposedly can steal sensitive information directly from end users’ photo galleries, targeting crypto wallets, passwords, and other valuable credentials. This malware doesn’t need a jailbreak or an exploit—it merely needs permission to access your photos, which many users grant without a second thought.
“Malware that captures screenshots, extracts text, and processes images with AI or OCR has been a cybercriminal tool for years, but iOS largely avoided this threat—until now,” said Dr. Klaus Schenk, Head of Security and Threat Research, Verimatrix. “While Apple’s App Store sees far less malware than Google Play, no platform is immune. The fact that even security-critical banking apps have been found to allow screenshots should raise concerns, especially as iOS threats grow more sophisticated.”
Unlike traditional iOS malware that relies on system exploits, SparkCat takes a more subtle approach: manipulating legitimate permissions.
When users open chat support within an infected app, they’re prompted to grant access to their photo gallery. Once access is granted, SparkCat scans screenshots using OCR to extract sensitive text and sends it to attackers. Despite Apple’s strong App Store security, which prevents most malware from reaching official distribution channels, this particular threat managed to slip through undetected.
Fast removal doesn’t mean the threat is gone
It didn’t take long for Apple and Google to pull these malicious apps once security researchers blew the whistle. While Apple’s App Store is generally more secure than open ecosystems, malware still finds ways to sneak through before detection happens. The short window of exposure is enough for thousands—or even millions—of downloads, making prevention just as critical as response.
A supply-chain attack? The bigger threat at play
One overlooked detail in the original security research is that this may not just be a case of malware slipping past App Store review. Research suggests that some infected apps may have been compromised through a supply-chain attack. Early versions of the malicious SDK used in these apps contained unencrypted API endpoints and a hardcoded command-and-control (C2) address, meaning its capabilities were visible in plaintext.
As time went on, threat actors evolved their tactics—newer versions of the SDK began obfuscating critical strings, making the malware harder to detect. This highlights a key issue: app security isn’t just about scanning final app builds—it’s about securing the development process from the start.
What this means for iOS developers
Supply-chain security is an area that cannot be ignored. Many developers unknowingly integrate third-party SDKs without realizing they may have been compromised earlier in their lifecycle. This attack proves that:
For those questioning whether supply-chain protection on iOS is effective, this case offers both a warning and validation. While early-stage malware was detectable, the more advanced versions adapted—and that’s the real risk developers need to prepare for.
A growing attack surface?
SparkCat isn’t emerging in isolation—it’s part of a larger trend. Recent iOS exploits that XTD Labs has written about, such as Operation Triangulation, which used a zero-click iMessage exploit to install spyware silently, and GoldPickaxe, which weaponized biometric data for deepfake identity fraud, show that iOS is becoming more and more vulnerable to cyberattacks.
Compounding this problem is Apple’s ongoing regulatory battle. With the EU’s Digital Markets Act (DMA) forcing Apple to open its ecosystem to third-party app stores and sideloading, the attack surface for iOS apps may grow. While Apple has implemented safeguards, opening the gates to alternative app stores inevitably introduces new security risks. More malware-laden “bad apps” could slip through less rigorous review processes, and malicious actors could exploit weaker security policies in third-party ecosystems to bypass traditional iOS defenses altogether. Whether Apple’s safeguards will be enough remains to be seen.
The combination of sophisticated malware like SparkCat and increasing regulatory-driven ecosystem changes paints an unsettling picture for iOS security moving forward. Mobile apps, particularly those in finance, healthcare, and cryptocurrency, face heightened risks, and developers can no longer afford to assume Apple’s built-in defenses will be enough. Side note: iOS is still much more secure than Android.
iOS app developer defense tips
Developers should consider proactively enhancing their iOS app defenses:
App defense isn’t Apple’s job alone
Attackers don’t care about iOS security roadmaps—they look for gaps, weak permissions, and ways to exploit new features or user behavior. If an SDK is compromised before it even reaches the App Store, your app is already in danger. Right now, someone is already working on a way to break in. When it happens, will you look back knowing you could have stopped it?
Protect your digital world
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Share this cybersecurity insight
Other cybersecurity insights
Cybersecurity Threat Roundup #22: Copybara, Crocodilus, Lucid, and more
SparkKitty: A Silent Threat in ‘Trusted’ Apps
WestJet Breach Shows Why Downtime Is a Business Killer
Darcula’s Digital Playbook: The Global Scam That’s Redefining Mobile Threats