Over two dozen fake cryptocurrency applications targeting iOS users have been published to the Apple App Store, Kaspersky reports.
The malicious campaign, dubbed FakeWallet, has been ongoing since at least the fall of 2025, focused on stealing users’ recovery phrases and private keys.
The apps, Kaspersky says, were first noticed in March, after they started to frequently appear in search results on the Chinese App Store.
Because many official wallet applications are currently unavailable to users in China due to restrictions, threat actors have started mimicking their names and icons, using typosquating to trick users into believing they are downloading legitimate software.
Although some of the apps did not use cryptocurrency-associated names or icons, they displayed banners enticing users to download the apps to access official wallets that were not available in the App Store.
Kaspersky identified a total of 26 such phishing applications that mimicked major wallets such as Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet.
Additionally, the cybersecurity firm identified several other applications that did not include phishing functionality but were linked to the same threat actor.
“It’s highly likely that the malicious features were simply waiting to be toggled on in a future update,” Kaspersky says.
The phishing applications were designed to open a link in the browser in an attempt to trick the user into installing infected versions of crypto wallets. The malicious code was typically delivered via libraries, but in some cases, it was injected directly into the wallet’s source code.
Code analysis revealed the presence of functions to harvest users’ recovery phrases and seed phrases, and to hijack the methods the app calls when users attempt to restore their hot wallets. Furthermore, the applications were found to target cold wallets through two Ledger implants.
Kaspersky identified a website mimicking the official Ledger site hosting links to these applications, as well as compromised wallet apps for Android distributed through Chinese-language phishing pages, but not through the Play Store.
According to the cybersecurity firm, while the apps appear to target Chinese speakers, the malicious modules do not have built-in regional restrictions, and some phishing notifications were seen adapting to the app’s language, suggesting that users outside China could be targeted as well.
The threat actor responsible for the FakeWallet campaign appears linked to the SparkKitty malware that was uncovered in June last year, based on the distribution technique, focus on cryptocurrency wallets, Chinese log messages in the malicious modules, and the presence of SparkKitty modules in some applications.
Apple has been notified and it has started removing the malicious apps.
Related: Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit
Related: Coruna iOS Exploit Kit Likely an Update to Operation Triangulation
Related: Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’
Related: New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps
