Introduction
Cybersecurity experts have uncovered 26 malicious apps on the Apple App Store that impersonate popular cryptocurrency wallets, aiming to steal sensitive recovery phrases and private keys. Known as FakeWallet, these apps have been active since at least fall 2025, according to Kaspersky researcher Sergey Puzan. The apps mimic well-known wallets such as Bitpie, Coinbase, and Ledger, with many now removed by Apple following disclosure.
Methods of Attack
The FakeWallet apps deceive users by launching browser pages that resemble the App Store, distributing trojanized versions of legitimate wallet apps. These malicious apps are distinguished by their ability to hijack recovery phrases and private keys, posing a significant threat to cryptocurrency security. Interestingly, the apps have been accessible on Apple’s platform if a user’s account is set to China, but not via Google Play Store.
Deceptive Tactics
These apps employ icons similar to their genuine counterparts, with subtle misspellings in names to mislead users. For instance, names like ‘LeddgerNew’ are used to trick users into downloading fraudulent apps. Some apps even disguise themselves as unrelated services, such as games or calculators, redirecting users to download the official app under the guise of regulatory restrictions.
According to Kaspersky, several of these apps, likely from the same threat actors, do not possess overtly malicious features but mimic benign services. Once launched, these apps open web browser links and use enterprise provisioning profiles to install wallet apps on devices, illustrating the sophistication of these attacks.
Implications and Future Outlook
The primary objective of these threats is to extract mnemonic phrases from both hot and cold wallets, providing attackers with control over victims’ crypto assets. Suspects linked to the SparkKitty trojan campaign are believed to be behind these attacks, utilizing techniques like optical character recognition for phrase theft.
Kaspersky warns that the FakeWallet campaign is accelerating, leveraging new strategies to ensnare users through phishing apps and notifications, targeting cryptocurrency holdings specifically. This ongoing threat highlights the necessity for heightened vigilance and improved security measures in safeguarding digital assets.
Related Threats: MiningDropper Framework
Simultaneously, Cyble has identified a sophisticated Android malware delivery system called MiningDropper. This framework, also known as BeatBanker, merges cryptocurrency mining with information theft, remote access, and banking malware, targeting users in India, Latin America, Europe, and Asia.
The MiningDropper framework employs advanced techniques such as XOR-based native obfuscation and AES-encrypted payload staging, demonstrating a modular architecture that complicates analysis while allowing threat actors to tailor their attacks. This underscores the adaptability of cyber threats and the ongoing need for robust defenses.
