More than twenty fraudulent cryptocurrency applications have been identified on Apple’s App Store, targeting iOS users globally, according to a report by cybersecurity firm Kaspersky.
This malicious operation, known as FakeWallet, has been in progress since at least the fall of 2025. Its primary objective is to steal users’ recovery phrases and private keys, essential components for accessing digital wallets.
The fake apps came to notice in March after they frequently appeared in search results within the Chinese App Store environment.
Deceptive Tactics and Impact
Due to restrictions in China that limit access to many legitimate wallet applications, cybercriminals have resorted to mimicking popular app names and icons. This technique, known as typosquatting, tricks users into downloading what they believe to be authentic software.
Some of these applications do not carry recognizable cryptocurrency names or icons but use enticing banners to lure users into downloading them, promising access to official wallets otherwise unavailable on the App Store.
Kaspersky identified 26 phishing applications that imitate renowned wallets such as Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet.
Technical Analysis and Findings
Further investigation revealed that some applications, although not initially phishing-enabled, were potentially linked to the same threat actor and could activate malicious features in future updates.
The phishing apps were designed to open browser links that prompt users to install infected versions of crypto wallets. These harmful codes were delivered through libraries or directly embedded within the wallet’s source code.
Code analysis showed functions to capture users’ recovery and seed phrases and intercept procedures when users attempted to restore their hot wallets. Cold wallets were also targeted through two Ledger implants.
Broader Implications and Response
Kaspersky also discovered a website impersonating the official Ledger site, hosting links to these fraudulent applications. Additionally, compromised wallet apps for Android were distributed through Chinese-language phishing pages outside of the Google Play Store.
Although initially targeting Chinese speakers, the malicious software does not have regional limitations and can adapt to different languages, indicating a potential threat to users worldwide.
The perpetrators of the FakeWallet campaign appear to be connected to the SparkKitty malware, based on similarities in their distribution methods and focus on cryptocurrency wallets.
Apple has been informed of these malicious applications and has begun removing them from the App Store to protect its users.
