26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases

26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases

Cybersecurity researchers from Kaspersky discovered 26 malicious apps on the Apple App Store that impersonate popular cryptocurrency wallets to steal recovery phrases and private keys. The apps, dubbed FakeWallet, have been active since at least fall 2025 and mimic wallets including Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet.

Once launched, these apps redirect users to browser pages designed to look like the App Store and distribute trojanised versions of legitimate wallets. The malware captures mnemonic phrases by hooking code responsible for the recovery phrase screen or by serving phishing pages as part of a supposed verification step. The stolen phrases are exfiltrated to an external server, allowing operators to drain victims’ cryptocurrency assets or initiate fraudulent transactions.

Kaspersky suspects the campaign may be linked to the SparkKitty trojan campaign from last year, with both appearing to be the work of native Chinese speakers targeting cryptocurrency assets. The apps were specifically available if a user had their Apple account set to China, and many have since been removed by Apple following disclosure. There is no evidence that these apps were distributed via the Google Play Store.

This incident demonstrates that even curated app stores are not immune to malicious applications. The use of intentional typos in app names and legitimate-looking enterprise provisioning profiles shows an evolution in mobile malware tactics. Users should verify wallet apps carefully and be wary of any app requesting recovery phrases outside of legitimate setup flows.

Click here for the original article.