Recent findings by cybersecurity researchers have unveiled a group of 26 malicious applications on the Apple App Store that impersonate popular cryptocurrency wallets. These apps aim to steal users’ recovery phrases and private keys, a tactic that has been in play since at least fall 2025.
Details of the Malicious Apps
According to Kaspersky researcher Sergey Puzan, once these apps are launched, they redirect users to web pages that mimic the App Store, distributing trojanized versions of legitimate wallets. The apps, collectively referred to as FakeWallet, imitate various well-known wallets, including Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet. Following the disclosure, many of these apps have been removed by Apple.
Distribution and Targeting Techniques
These malicious applications were available for download from the Apple App Store, particularly when users had their Apple accounts set to China. They feature icons similar to the originals but contain intentional typos in their names, such as LeddgerNew, to mislead users. In some instances, the app names and icons bear no relation to cryptocurrency, serving merely as placeholders to prompt users to download the official wallet app, claiming it is unavailable due to regulatory issues.
Methods of Theft
Kaspersky has identified that the end goal of these infections is to capture mnemonic phrases from both hot and cold wallets. The malware can exfiltrate these phrases to an external server, enabling attackers to gain control over victims’ wallets and drain their cryptocurrency assets. The seed phrases are captured either by hooking into the code responsible for the recovery phrase entry screen or by displaying phishing pages that trick users into entering their mnemonics.
Potential Links to Previous Campaigns
There is speculation that this campaign may be associated with the SparkKitty trojan campaign from the previous year. Some of the infected apps include a module designed to steal wallet recovery phrases using optical character recognition (OCR). Both campaigns appear to be executed by native Chinese speakers and specifically target cryptocurrency assets. Kaspersky noted that the FakeWallet campaign is evolving by utilizing new tactics, including embedding malicious payloads within legitimate apps and employing sophisticated phishing notifications.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
