26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases
Crypto Alert: 26 تطبيق "FakeWallet" تفرشات فـ Apple App Store
Crypto Alert: 26 "FakeWallet" Apps Discovered on Apple App Store
TL;DR: Researchers have identified a sophisticated campaign involving 26 malicious apps on the Apple App Store designed to steal cryptocurrency recovery phrases. Dubbed "FakeWallet," these apps impersonate major platforms like MetaMask and Coinbase, primarily targeting users with Apple accounts set to China.
Cybersecurity researchers have uncovered a significant threat to mobile cryptocurrency users: a cluster of 26 malicious applications that successfully bypassed Apple’s App Store security filters. These apps, collectively referred to as FakeWallet, are designed to hijack recovery phrases (seed phrases) and private keys to drain victims' digital assets.
According to Kaspersky researcher Sergey Puzan, this campaign has been active since at least the fall of 2025. While many of the identified apps have been removed following disclosure, the sophistication of the campaign suggests an evolving threat landscape for iOS users.
How the "FakeWallet" Scheme Operates
Unlike previous campaigns that relied on suspicious third-party websites, the FakeWallet actors successfully placed their malware directly on the official Apple App Store.
The primary targets appear to be users with their Apple account region set to China. The attackers employed several deceptive tactics to lure victims:
- Intentional Typos: Apps were uploaded with slight misspellings of famous brands—for example, "LeddgerNew" instead of Ledger.
- Visual Mimicry: The apps used icons that mirrored legitimate wallet software to build instant trust.
- Bait-and-Switch Placeholders: Some apps appeared as benign tools, such as games, calculators, or task planners. Once launched, these apps claimed the "official" wallet was unavailable in the App Store due to regulations and redirected the user to a browser page to download a "trojanized" version.
- Provisioning Profiles: The attackers leveraged enterprise provisioning profiles to install the final malicious payloads directly onto the victim's device.
High-Profile Targets
The campaign targeted a wide array of both hot and cold wallet users, impersonating several of the most popular brands in the industry, including:
- Bitpie
- Coinbase
- imToken
- Ledger
- MetaMask
- TokenPocket
- Trust Wallet
Technical Execution: Theft via Library Injection and OCR
Once a user installs the infected app, the malware uses various methods to exfiltrate sensitive data. "The attackers have churned out a wide variety of malicious modules, each tailored to a specific wallet," Puzan noted.
The primary goal is to capture mnemonic recovery phrases. This is achieved by:
- Code Hooking: Injecting malicious libraries into the app’s code to monitor the screen where a user enters their recovery phrase.
- Phishing UI: Serving fake verification pages that prompt users to type in their seed phrases.
- Optical Character Recognition (OCR): In some instances, the malware can "read" text from the screen using OCR to steal phrases even if they aren't typed directly into a field.
Due to the use of OCR and technical similarities, researchers suspect the campaign may be linked to the threat actors behind the SparkKitty trojan, a campaign attributed to native Chinese speakers targeting crypto assets.
Beyond iOS: The MiningDropper Threat
While the FakeWallet campaign focused on iOS, researchers also highlighted a separate Android-based threat known as MiningDropper (or BeatBanker).
This framework targets users in India, Latin America, Europe, and Asia. It uses a multi-stage architecture to deliver a combination of cryptocurrency miners, banking malware, and remote access trojans (RATs). Unlike FakeWallet, there is currently no evidence that these specific malicious apps were distributed via the Google Play Store; instead, they were propagated via fake websites impersonating banking institutions.
Conclusion
The FakeWallet campaign highlights a dangerous shift in mobile security, proving that even the "walled garden" of the Apple App Store is not immune to sophisticated social engineering and malware injection. Users are urged to remain vigilant, double-check app names for typos, and never enter recovery phrases into an application unless they are 100% certain of its authenticity.
At this time, there is no evidence that the FakeWallet apps were distributed via the Google Play Store.
Source: https://thehackernews.com/2026/04/26-fakewallet-apps-found-on-apple-app.html
