SecureMac, Inc.

Checklist 410: OCR Malware and Grubhub Date Theft

February 7, 2025

Grubhub and App Store breaches expose user data. Hackers target crypto wallets via malware and leak personal info.

Checklist 410: OCR Malware and Grubhub Date Theft

Screen-Reading Malware Found in Apple’s App Store, Targeting Crypto Wallets

\In a concerning cybersecurity discovery, security firm Kaspersky has identified malware with screen-reading capabilities in Apple’s App Store. Dubbed SparkCat,” the malware employs optical character recognition (OCR) to extract sensitive information from screenshots stored on users’ devices. According to a MacRumors report, the malware’s primary target appears to be crypto wallet recovery phrases, which could allow attackers to steal Bitcoin and other cryptocurrencies.

Affected Apps and Apple’s Response

Kaspersky reported several infected apps in the App Store, including ComeCome, WeTink, and AnyGPT. However, it remains unclear whether the malware was deliberately added by developers or if it was the result of a supply chain attack. Apple has since removed the malicious apps from the App Store. When independently verified, only one of the reported apps showed any trace of previously existing on the platform, while the others were absent from search results.

Understanding Supply Chain Attacks

The term supply chain attack refers to a cyber-attack targeting less secure elements in a system’s supply chain, including software or hardware components. According to Wikipedia, these attacks often involve injecting malicious code into widely used software dependencies. This means that even legitimate developers could have unknowingly integrated compromised code into their apps, spreading malware to unsuspecting users.

In this case, it’s possible that:

  • The developers of the infected apps unknowingly used malicious third-party code.
  • A tampered compilation tool inserted the malware during the app-building process.
  • The developers themselves intentionally added the malware.

How the Malware Works

Once installed, the malicious apps request permission to access a user’s photo library. If granted, the malware scans stored images for text related to crypto wallet recovery phrases. When such text is detected, the image is transmitted to an attacker-controlled server.

While these apps primarily targeted iOS users in Europe and Asia, a supply chain attack could mean that developers and users worldwide may also be at risk.

Protecting Yourself

Kaspersky advises users to avoid storing sensitive information in screenshots, especially crypto wallet recovery phrases and passwords. Given the malware’s flexibility, other forms of sensitive data—such as login credentials—could also be at risk.

A safer alternative? Use a password manager instead of relying on screenshots to store critical information.

Grubhub Data Breach Exposes Customer and Driver Information

In yet another major cybersecurity incident, Grubhub, one of the U.S.’s largest food delivery platforms, has confirmed that hackers accessed personal data belonging to customers, merchants, and drivers. The breach, first reported by TechCrunch, is believed to have resulted from a third-party service provider’s compromised account.

Who Was Affected?

Grubhub has not disclosed the number of individuals impacted, but with over 200,000 delivery drivers and 375,000 merchants operating in more than 4,000 cities across the U.S., the scale of the breach could be significant. Notably, the breach affected users of Grubhub’s Campus Dining service, which allows university students to use meal credits for food deliveries.

What Information Was Stolen?

While the full scope of the breach remains unclear, Grubhub has confirmed that hackers accessed:

  • Names, email addresses, and phone numbers of customers, merchants, and drivers.
  • Partial payment card details for some Campus Dining users, including card type and the last four digits of the card number.
  • Hashed passwords associated with certain legacy systems.

How Did Grubhub Respond?

Grubhub stated that it took immediate action after detecting unusual activity within its network. Their response included:

  •  Investigating the breach with forensic cybersecurity experts.
  •  Revoking access for the compromised third-party service provider.
  •  Rotating all relevant passwords to prevent further unauthorized access.
  •  Enhancing monitoring to detect and prevent future breaches.

The company assured users that it is “dedicated to protecting the trust” of its customers and partners, though it has not announced any direct support for affected users or provided a timeline for when they will disclose the total number of impacted individuals.

What’s Next?

While Grubhub is reinforcing its security measures, customers and drivers remain in the dark about whether their personal data has been compromised. The company has yet to specify:

  • When the breach occurred.
  • How far back the accessed records go.
  • Whether they will notify affected users.
  • Any compensation or identity protection measures for impacted individuals.

For now, users should monitor their accounts for suspicious activity and consider updating their Grubhub passwords.

Filed under Security News, The Checklist Podcast by SecureMac

Latest Security News

Get the latest security news and deals