Cybersecurity researchers at Kaspersky have identified 26 malicious apps on the Apple App Store designed to impersonate popular cryptocurrency wallets and steal user recovery phrases and private keys.

Key Points

• The "FakeWallet" campaign has targeted users since fall 2025 by mimicking brands like Coinbase, MetaMask, Ledger, and Trust Wallet.
• Attackers used intentional typos in app names and placeholder apps to trick users into downloading trojanized software.
• Malicious apps exfiltrate mnemonic phrases via phishing pages, code hooking, or optical character recognition (OCR) to drain victim assets.
• Some apps were distributed directly through the Apple App Store for users in China, while others utilized enterprise provisioning profiles.
• Kaspersky researchers suspect the campaign may be linked to the previous SparkKitty trojan operation due to shared tactics and language markers.

Why it Matters

This campaign highlights a significant security vulnerability in mobile app distribution, as attackers successfully bypassed official vetting processes to target high-value cryptocurrency assets. The sophisticated use of both App Store listings and enterprise profiles demonstrates an evolving threat landscape that requires users to exercise extreme caution when downloading financial applications.