Dozens of Malicious Crypto Apps Land in Apple App Store

Summary

A campaign dubbed FakeWallet has deployed over two dozen malicious applications masquerading as legitimate cryptocurrency wallets (Coinbase, MetaMask, Ledger, etc.) on the Apple App Store, primarily targeting Chinese users. The apps employ typosquatting, phishing, and code injection to steal recovery phrases, seed phrases, and private keys from both hot and cold wallets. Kaspersky linked the campaign to the SparkKitty malware family based on distribution techniques and Chinese-language code artifacts.

Full text

Over two dozen fake cryptocurrency applications targeting iOS users have been published to the Apple App Store, Kaspersky reports. The malicious campaign, dubbed FakeWallet, has been ongoing since at least the fall of 2025, focused on stealing users’ recovery phrases and private keys. The apps, Kaspersky says, were first noticed in March, after they started to frequently appear in search results on the Chinese App Store. Because many official wallet applications are currently unavailable to users in China due to restrictions, threat actors have started mimicking their names and icons, using typosquating to trick users into believing they are downloading legitimate software. Although some of the apps did not use cryptocurrency-associated names or icons, they displayed banners enticing users to download the apps to access official wallets that were not available in the App Store. Kaspersky identified a total of 26 such phishing applications that mimicked major wallets such as Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet.Advertisement. Scroll to continue reading. Additionally, the cybersecurity firm identified several other applications that did not include phishing functionality but were linked to the same threat actor. “It’s highly likely that the malicious features were simply waiting to be toggled on in a future update,” Kaspersky says. The phishing applications were designed to open a link in the browser in an attempt to trick the user into installing infected versions of crypto wallets. The malicious code was typically delivered via libraries, but in some cases, it was injected directly into the wallet’s source code. Code analysis revealed the presence of functions to harvest users’ recovery phrases and seed phrases, and to hijack the methods the app calls when users attempt to restore their hot wallets. Furthermore, the applications were found to target cold wallets through two Ledger implants. Kaspersky identified a website mimicking the official Ledger site hosting links to these applications, as well as compromised wallet apps for Android distributed through Chinese-language phishing pages, but not through the Play Store. According to the cybersecurity firm, while the apps appear to target Chinese speakers, the malicious modules do not have built-in regional restrictions, and some phishing notifications were seen adapting to the app’s language, suggesting that users outside China could be targeted as well. The threat actor responsible for the FakeWallet campaign appears linked to the SparkKitty malware that was uncovered in June last year, based on the distribution technique, focus on cryptocurrency wallets, Chinese log messages in the malicious modules, and the presence of SparkKitty modules in some applications. Apple has been notified and it has started removing the malicious apps. Related: Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit Related: Coruna iOS Exploit Kit Likely an Update to Operation Triangulation Related: Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’ Related: New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Hackers Abuse QEMU for Defense EvasionHalf of the 6 Million Internet-Facing FTP Servers Lack EncryptionHackers Fail to Exploit Flaw in Discontinued TP-Link RoutersTycoon 2FA Loses Phishing Kit Crown Amid Surge in AttacksTwo North Korean IT Worker Scheme Facilitators Jailed in the USCursor AI Vulnerability Exposed Developer Devices53 DDoS Domains Taken Down by Law EnforcementArtemis Emerges From Stealth With $70 Million in Funding Latest News Third US Security Expert Admits Helping Ransomware GangUnsecured Perforce Servers Expose Sensitive Data From Major OrgsProgress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMasterOrganizations Warned of Exploited Cisco, Kentico, Zimbra VulnerabilitiesData Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000$290 Million Kelp DAO Crypto Heist Blamed on North KoreaSerial-to-IP Converter Flaws Expose OT and Healthcare Systems to HackingBritish Scattered Spider Hacker Pleads Guilty in the US Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveAnti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors.ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.Thomas Bain has been appointed Chief Marketing Officer at Silent Push.More People On The MoveExpert Insights Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — FakeWallet
• malware — SparkKitty

Entities