TechHorizon Consulting

How Threat Actors Exploit Optical Character Recognition in Cybersecurity Attacks

EC

Apr 24, 2025By Ethan Coulthard

What Is Optical Character Recognition (OCR)? 

Optical Character Recognition (OCR) is a technology that converts images of text—such as scanned documents, photographs, or screenshots—into readable text. It's widely used in digitizing printed documents, automating data entry, and enabling text-to-speech for accessibility. OCR systems often leverage neural networks to achieve high accuracy in text recognition.  

Cybersecurity, data networks, and modern technology security background. Digital shield icon protection and safety concept.

Malicious Use of OCR by Threat Actors

While OCR has many legitimate uses, cybercriminals have found ways to weaponize this technology. By integrating OCR into malware, attackers can extract sensitive information from images stored on victims' devices. This approach allows them to bypass traditional security measures that monitor text inputs or clipboard activity. Instead of only reading keyboard inputs or taking screenshots that might alert antivirus programs; these strains of malware can pull text straight from the screen without interacting with computer hardware. 

Notable Malware Utilizing OCR

  • CherryBlos: Discovered in 2023, CherryBlos is an Android malware that uses OCR to extract cryptocurrency wallet recovery phrases from images stored on infected devices. It also overlays fake interfaces to steal credentials and hijacks clipboard data to redirect cryptocurrency transactions.  
  • SpyAgent: Identified by McAfee, SpyAgent scans devices for images containing crypto wallet recovery phrases. Using OCR, it extracts these phrases and sends them to attackers, granting them access to victims' cryptocurrency funds. SpyAgent has been detected in over 280 fraudulent apps, primarily targeting users in South Korea and the UK. 
  • SparkCat: This malware has been found in both Android and iOS apps, masquerading as legitimate services. SparkCat uses OCR to scan photo libraries for images containing wallet recovery phrases, which are then exfiltrated to command-and-control servers. Notably, SparkCat employs a Rust-based communication mechanism, a rarity in mobile malware.  

Protecting Small and Medium-Sized Businesses (SMBs) from OCR-Based Attacks 

SMBs can take several measures to safeguard against OCR-based cyber threats: 

  • Employee Education: Train staff to avoid storing sensitive information, like passwords or recovery phrases, as images on their devices.
  • App Vetting: Implement strict policies for installing applications, ensuring they are from reputable sources and have been vetted for security.  
  • Permission Management: Monitor and restrict app permissions, especially those requesting access to storage, camera, or accessibility features.  
  • Regular Audits: Conduct periodic security audits to detect and remove unauthorized or malicious applications.  
  • Use of Security Software: Deploy reputable mobile security solutions that can detect and prevent malware infections.  
  • Data Encryption: Encourage the use of encrypted storage solutions for sensitive information, reducing the risk of data being compromised if accessed.  
Technological Field.

Conclusion 

OCR technology, while beneficial in many contexts, has been exploited by cybercriminals to extract sensitive information from images. Malware like CherryBlos, SpyAgent, and SparkCat demonstrate the evolving tactics of threat actors in targeting unsuspecting users. SMBs must remain vigilant, educating employees and implementing robust security measures to protect against these sophisticated attacks. Protecting from these attacks requires resources for training employees and continuous network monitoring. These services can require companies to hire a CISO, an expensive endeavor, TechHorizon Consulting can help with our vCISO service. We provide services like the ones mentioned for a fraction of the cost of a tradition CISO, if this interests you or your company please visit our "Contact Us" page.