A Coordinated Fake Wallet Campaign Hits Apple's App Store
Security researchers at Kaspersky have exposed a campaign involving 26 malicious applications on Apple's App Store, each designed to impersonate well-known cryptocurrency wallets. The targeted brands include MetaMask, Coinbase, Trust Wallet, and OneKey. The goal of these apps is straightforward but devastating: steal recovery or seed phrases and use them to drain victims' cryptocurrency holdings entirely.
Kaspersky has named this cluster of apps the FakeWallet campaign and linked it to a broader, ongoing operation called SparkKitty, which researchers say has been active since last year. Apple has since removed all 26 apps from the App Store following Kaspersky's responsible disclosure.
How the Threat Actor Evaded Detection
The threat actor behind FakeWallet employed a range of tactics to make these apps appear legitimate. These included typosquatting — registering app names with slight misspellings of trusted brands — and fake branding designed to closely mirror official products.
Because cryptocurrency wallet apps face restrictions in China, the attacker made a calculated decision to publish their malicious apps under the guise of innocuous categories such as games or calculator tools. This framing was likely intended to make Chinese users believe these were workarounds for domestic app bans, increasing the likelihood of installation.
The Infection Chain: From App Store to Phishing Page
Once a victim opens one of these trojanized apps, they are redirected to a phishing webpage carefully constructed to resemble the legitimate portal of the cryptocurrency service being impersonated. Kaspersky's research includes screenshots of a fake website impersonating Ledger as one such example.
From these phishing pages, victims are convinced to download additional trojanized wallet applications. The delivery mechanism relies on iOS provisioning profiles — a legitimate enterprise feature built into Apple's ecosystem — which are abused here to sideload malware onto victims' devices. Kaspersky noted that this same technique was previously observed in the SparkKitty operation.
How Seed Phrases Are Stolen
The malicious apps contain hidden code that specifically targets mnemonic phrases, also known as seed phrases or recovery phrases, during wallet setup or recovery screens. Once intercepted, these phrases are encrypted using RSA and Base64 before being transmitted to the attacker's infrastructure.
For hardware wallets such as Ledger, the attackers take a slightly different approach. Instead of intercepting data automatically, they rely on in-app phishing prompts — fake security verification screens designed to trick users into manually typing in their seed phrases.
Seed phrases are critically sensitive because they serve as the master key to a cryptocurrency wallet. They are intended solely for wallet recovery or porting to a new device and require no additional passwords or confirmations to function. This means that anyone who obtains a seed phrase can fully restore a victim's wallet on their own device and transfer all funds without any possibility of reversal or recovery.
Geographic Scope and Global Risk
While the FakeWallet campaign has been directed primarily at users in China, Kaspersky was clear that the malware contains no geographic restrictions. Should the operators decide to broaden their targeting, users anywhere in the world could be affected.
This is not an isolated incident within the Apple ecosystem. Just last week, a separate fraudulent Ledger app that managed to appear on Apple's App Store was found to have stolen $9.5 million worth of cryptocurrency from 50 macOS users — underscoring a troubling pattern of crypto-targeting malware slipping through official app vetting processes.
Apple's Response and an Open Question
Apple removed all 26 FakeWallet apps from the App Store after Kaspersky followed responsible disclosure procedures. However, the fundamental question of how these apps bypassed Apple's App Store verification process remains unanswered. BleepingComputer reached out to Apple for comment on the threat actor's methods but had not received a response by the time of publication.
How to Protect Yourself
Cryptocurrency holders can take several practical steps to reduce their exposure to this type of attack:
- Verify the publisher of any app before downloading, even from official stores like the Apple App Store.
- Use only links provided on the official website of the cryptocurrency service to locate legitimate apps.
- Be skeptical of any app that asks you to enter your seed phrase or recovery phrase — legitimate apps will never request this during routine use.
- Treat requests to install iOS provisioning profiles from unknown sources as a major red flag.
- Regularly check developer names and user reviews before installing financial or crypto-related applications.
As cryptocurrency adoption grows and threat actors become more sophisticated in their social engineering techniques, the integrity of official app distribution channels is increasingly under pressure. The FakeWallet campaign is a stark reminder that even curated platforms are not immune to abuse.
Source: BleepingComputer