26 FakeWallet iOS apps on App Store target crypto seeds

Security researchers at Kaspersky identified 26 malicious iOS apps on Apple’s App Store that impersonated popular cryptocurrency wallets to capture recovery phrases and private keys. The cluster of apps, tracked as FakeWallet, was available to users whose Apple accounts were set to China. Kaspersky reported many of the apps have been removed following disclosure.

The fake apps mimicked wallet names and icons for services including Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket and Trust Wallet. When opened, some of the apps directed users to browser pages designed to look like the App Store and pushed trojanized versions of legitimate wallets. Other builds acted as placeholders, instructing users to install an “official” wallet that the app claimed was unavailable on the App Store for regulatory reasons.

Kaspersky researcher Sergey Puzan warned, “The infected apps are specifically engineered to hijack recovery phrases and private keys.” The campaign used deceptive naming with intentional typos such as “LeddgerNew” and a set of builds that presented as unrelated tools, including games, calculators or task planners, to hide their true purpose. Several samples leveraged enterprise provisioning to install malicious wallet components outside normal App Store workflows.

Analysts found multiple technical approaches in the FakeWallet samples. Some versions included a malicious library injection, while others appeared to be direct modifications of original app source code. Puzan noted the operators produced a range of modules for different wallet targets.

The primary objective was the theft of mnemonic seed phrases for both hot and cold wallets. Operators captured these mnemonics by hooking the code that handles the recovery-seed input screen or by serving phishing pages that asked users to enter their phrases as part of a supposed verification. Captured phrases were sent to external servers, enabling operators to gain control of wallets and move funds. Some infected apps contained an optical character recognition module to extract seed phrases from images.

Kaspersky flagged technical and linguistic similarities between FakeWallet and the SparkKitty trojan activity observed the previous year, including language patterns consistent with native Chinese speakers and a focus on cryptocurrency assets. Kaspersky found no evidence that the fake wallets were distributed via the Google Play Store.

Separately, security firm Cyble disclosed an Android malware framework dubbed MiningDropper, also tracked as BeatBanker. MiningDropper is a modular delivery platform that combines cryptocurrency mining with information theft, remote access, and banking malware. Cyble reported the framework was distributed through a trojanized build of an open-source Android project and via fake websites impersonating banks and regional transport offices. The framework uses multi-stage payload delivery with XOR-based native obfuscation, AES-encrypted staging, dynamic DEX loading and anti-emulation techniques, which Cyble said complicate static analysis and let operators reuse the distribution framework while changing the final payload.

Kaspersky and other security firms recommend that cryptocurrency users verify app names and publishers carefully, enable two-factor authentication where available, and never enter recovery phrases into web pages or third-party prompts. Hardware wallet providers and official wallet services rarely request users to re-enter mnemonic phrases for routine checks; requests to do so should be treated as suspicious.