Apple and Google have removed up to 20 applications from their app stores following the discovery of data-stealing malware that had been infecting devices for nearly a year, as reported by security experts.

According to Kaspersky’s security specialists, the identified malware, known as SparkCat, has been active since March 2024. Researchers initially detected this malicious software within a food delivery application used in the United Arab Emirates and Indonesia. Subsequent investigations revealed the presence of the malware in 19 other unrelated applications, which together had amassed over 242,000 downloads from Google Play Store.

Utilizing advanced optical character recognition (OCR) technology designed to capture visible text on users’ screens, the malware was able to sift through image galleries on the infected devices, searching for keywords that indicated recovery phrases for cryptocurrency wallets across multiple languages, including English, Chinese, Japanese, and Korean.

By exploiting the malware to acquire recovery phrases, cybercriminals could potentially gain full access to a victim’s cryptocurrency wallet and steal their funds, according to the researchers’ findings.

In addition to hijacking cryptocurrency wallets, the malware could extract sensitive personal information from screenshots, including messages and passwords, as mentioned by the researchers.

Following the researchers’ findings, Apple swiftly removed the affected applications from its App Store last week, which was soon followed by action from Google.

“All identified apps have been eliminated from Google Play, and the developers responsible have been banned,” stated Google representative Ed Fernandez to TechCrunch.

Furthermore, Fernandez confirmed that Android users were safeguarded from known variants of this malware owing to the built-in Google Play Protect security feature.

Apple did not respond to requests for information regarding the situation.

Kaspersky spokesperson Rosemarie Gonzales explained to TechCrunch that despite the removal of the apps from official platforms, their telemetry data indicated that the malware could still be accessed via other websites and unofficial app stores.