26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases
Kaspersky researchers have uncovered 26 malicious apps on the Apple App Store that impersonate popular cryptocurrency wallets to steal recovery phrases and private keys, marking a significant escalation in iOS-targeted crypto theft.
Kaspersky researchers have identified 26 malicious applications on the Apple App Store, collectively dubbed FakeWallet, that impersonate popular cryptocurrency wallets such as MetaMask, Ledger, Coinbase, and Trust Wallet. The campaign, active since at least fall 2025, is designed to steal recovery phrases and private keys, enabling attackers to drain victims' cryptocurrency holdings. Apple has removed many of the apps following disclosure, but the discovery highlights a growing sophistication in iOS-targeted crypto-theft operations.
The apps use a variety of deceptive techniques to lure victims. Many employ typosquatted names — such as "LeddgerNew" — and icons that closely mimic legitimate wallets. In some cases, the apps have no visible connection to cryptocurrency at all, instead presenting themselves as games, calculators, or task planners. Once launched, these decoy apps redirect users to a browser page that mimics the App Store and distributes a trojanized version of the real wallet app, often claiming the original is "unavailable in the App Store" due to regulatory reasons.
Technically, the malware is delivered either via malicious library injection or by modifying the original app source code. Once installed, the infected app hooks into the code responsible for the screen where users enter their recovery phrase, or serves a phishing page that asks victims to enter their mnemonics as part of a supposed verification step. The stolen seed phrases are exfiltrated to attacker-controlled servers, allowing the operators to seize control of wallets and drain cryptocurrency assets or initiate fraudulent transactions.
Kaspersky noted that the campaign may be linked to the SparkKitty trojan operation from last year. Several of the infected apps include a module that uses optical character recognition (OCR) to steal wallet recovery phrases from screenshots, a technique also seen in SparkKitty. Both campaigns appear to be the work of native Chinese speakers and specifically target cryptocurrency assets. The researchers also identified similar apps that do not yet have malicious features enabled but are likely staged for future attacks, using enterprise provisioning profiles to install wallet apps on victims' devices.
The FakeWallet campaign represents a significant evolution in iOS malware. Previous crypto-theft schemes on iOS relied on bogus websites and provisioning profiles to trick users into sideloading apps. By contrast, FakeWallet apps were directly available from the official App Store, bypassing the trust barrier that sideloading creates. Kaspersky warned that the attackers are "gaining momentum by employing new tactics, ranging from delivering payloads via phishing apps published in the App Store to embedding themselves into cold wallet apps and using sophisticated phishing notifications."
Apple has not publicly commented on the takedown, but the incident underscores the persistent threat to cryptocurrency users even on Apple's curated platform. Users are advised to verify app developers carefully, avoid apps with unusual names or icons, and never enter recovery phrases into any app or website that requests them unprompted. The discovery also raises questions about Apple's app review process and its ability to detect malicious code that is only activated after installation.
This campaign is the latest in a series of high-profile crypto-theft operations targeting mobile users. As cryptocurrency adoption grows, attackers are investing in more sophisticated techniques to bypass platform security controls. The FakeWallet campaign demonstrates that even the App Store's walled garden is not immune to well-crafted social engineering and code injection attacks.