FakeWallet Crypto Stealer Campaign Hits Apple App Store with Over 20 Phishing Apps
Kaspersky researchers have uncovered over 20 phishing apps in the Apple App Store that masquerade as legitimate crypto wallets and use iOS provisioning profiles to install trojanized wallet versions that steal recovery phrases and private keys.
Kaspersky researchers have uncovered a widespread crypto-stealing campaign that planted over 20 phishing apps in the Apple App Store, all designed to steal cryptocurrency wallet recovery phrases and private keys from iOS users. The apps, discovered in March 2026, masquerade as popular wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. Once launched, the apps redirect users to browser pages that distribute trojanized versions of legitimate wallets via iOS provisioning profiles, a technique that bypasses Apple's standard app review process.
The campaign has been active since at least fall 2025, according to metadata from the malware. The attackers specifically targeted users in China, where many official crypto wallet apps are unavailable due to regional restrictions on Apple IDs set to the Chinese region. Scammers exploited this gap by launching fake apps using icons that mirror the originals and names with intentional typos — a tactic known as typosquatting — to slip past App Store filters and increase their chances of deceiving users.
In some cases, the app names and icons had nothing to do with cryptocurrency, but promotional banners within the apps claimed that the official wallet was "unavailable in the App Store" and directed users to download it through the app instead. The phishing apps featured stubs — functional placeholders that mimicked a legitimate service, such as a game, calculator, or task planner — designed to make the app appear authentic. However, once launched, the app would open a malicious link in the browser, kicking off a scheme that leverages provisioning profiles to install infected versions of crypto wallets onto the victim's device.
The attackers developed a wide variety of malicious modules, each tailored to a specific wallet. In most cases, the malware is delivered via a malicious library injection, though researchers also found builds where the app's original source code was modified. To embed the malicious library, the hackers injected load commands into the main executable, a standard trick to expand an app's functionality without a rebuild. Once the library is loaded, the dyld linker triggers initialization functions that swap out legitimate class methods for malicious versions.
For instance, a malicious library named libokexHook.dylib was found embedded in a modified version of the Coinbase app. It hijacks the original viewDidLoad method within the RecoveryPhraseViewController class — the part of the code responsible for the screen where the user enters their recovery phrase. The compromised method scans the screen to hunt for mnemonics (the individual words that make up the seed phrase), extracts the data, encrypts it using RSA with the PKCS #1 scheme, encodes it into Base64, and sends it — along with metadata like the malicious module type, the app name, and a unique identification code — to the attackers' server.
Kaspersky has reported all findings to Apple, and several of the malicious apps have already been pulled from the store. The company also identified several similar apps that didn't have any phishing functionality yet but showed every sign of being linked to the same threat actors. Kaspersky detects the threat as HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*.
This campaign echoes a similar scheme observed in 2022 by ESET researchers, who spotted compromised crypto wallets distributed through phishing sites. By abusing iOS provisioning profiles to install malware, attackers were able to steal recovery phrases from major hot wallets. Four years later, the same crypto-theft scheme is gaining momentum again, now featuring new malicious modules, updated injection techniques, and distribution through phishing apps in the App Store. The use of enterprise provisioning profiles — originally designed for companies to deploy internal apps to employees without going through the App Store — remains a favorite tool for malware distributors, as it allows them to bypass Apple's review process entirely.