China's Apple App Store infiltrated by crypto-stealing wallet apps

Security researchers have uncovered 26 fake crypto-wallet apps on Apple's App Store in China that impersonate wallets like MetaMask, Coinbase, Trust Wallet, and OneKey to steal seed phrases. The FakeWallet campaign, linked to SparkKitty, used typosquatting and spoofed branding and was disguised as games or calculator apps to evade bans. These trojanized apps harvest mnemonic phrases during setup, encrypt them, and transmit them to attackers, enabling funds to be drained from wallets—even via phishing prompts on cold-storage devices. Although China-focused, the malware has no geographic limit. Apple removed all 26 apps after the disclosure; users should verify publishers and use official sources only.

TechLogHub

April 20, 2026

0 views

CHINA'S APPLE APP STORE INFILTRATED BY CRYPTO-STEALING WALLET APPS

Overview

A cluster of 26 malicious apps appeared in the Apple App Store and posed as well-known cryptocurrency wallets.
Targeted wallets included popular options such as Metamask, Coinbase, Trust Wallet, and OneKey.
The primary objective was to steal recovery or seed phrases and drain funds from compromised wallets.
The campaign employed deception techniques like typosquatting and fake branding to lure users in China.
Because official crypto apps are restricted in China, the attackers disguised the fraudulent offerings as games or calculator apps, aiming to bypass censorship.

Campaign Identification and Attribution

Kaspersky researchers identified all 26 fake apps as part of a single campaign labeled FakeWallet.
The FakeWallet operation is linked to the ongoing SparkKitty campaign, which has been active since the previous year.
The attack chain includes redirects to phishing pages designed to resemble legitimate crypto service portals.

Delivery and Lure Tactics

The malware relied on iOS provisioning profiles to sideload trojanized wallet apps onto users’ devices.
Provisioning profiles constitute a legitimate enterprise feature, which threat actors abused to bypass standard app installation controls.
Similar provisioning-based delivery was observed in the prior SparkKitty activity.
Once installed, the apps directed users to counterfeit sites that harvest seed phrases and other sensitive data.

In-App Phishing and Seed Phrase Interception

The trojanized apps contained additional code that intercepted mnemonic phrases during wallet setup or recovery sequences.
Collected phrases were encrypted using RSA and Base64 before being transmitted to the attacker.
For cold-wallet ecosystems (e.g., Ledger), attackers leveraged in-app phishing prompts to induce users to enter their seed phrases on fake security verification screens.
Seed phrases are intended solely for wallet porting or recovery to new devices and do not require extra confirmation or passwords; misuse permits attackers to reconstruct the victim’s wallet and drain funds.

Geographic Focus and Global Risk

Kaspersky’s observations indicate a primary focus on users in China.
The underlying malware architecture, however, has no built-in geographic restrictions, meaning it could affect users worldwide if operators broaden their targeting.

Incident Response and Current Status

Following responsible disclosure, Apple removed all 26 FakeWallet apps from the App Store.
Security researchers highlighted the risk and explained the mechanisms, while public inquiries about bypass techniques remained without an immediate company response at publication.

Related Security Context

A separate incident around the same timeframe involved a fraudulent Ledger app on Apple’s App Store that culminated in cryptographic losses of about $9.5 million from dozens of macOS users.
The broader ecosystem continues to see a pattern of counterfeit wallet interfaces and credential harvest tactics across multiple platforms.

Technical and Visual Artifacts

Phishing pages were designed to imitate legitimate Ledger and other wallet portals, leveraging familiar branding to lower skepticism.
Companion visuals circulated in security reports included fake onboarding and seed-phrase capture prompts, underscoring the social engineering aspect of the attack.

Campaign Scope and Future Risk

While current activity centers on China, the lack of geographic constraints in the malware design suggests the potential for broader deployment.
The convergence of typosquatting, provisioning abuse, and seed-phrase phishing represents a multifaceted threat vector that could resurface in future app-store ecosystems if not mitigated.

Contextual Summary

The incident exemplifies how legitimate security controls (like app-store vetting and provisioning profiles) can be repurposed by adversaries to bypass protections.
It also illustrates the critical danger of seed phrases, which, once captured, enable attackers to reconstruct and access wallets outside the victim’s control.
The rapid removal of the malicious apps by platform maintainers demonstrates the ongoing responsiveness of app-store ecosystems to exploit campaigns, even as new variants continue to emerge.

China's Apple App Store infiltrated by crypto-stealing wallet apps

TechLogHub

April 20, 2026

0 views

CHINA'S APPLE APP STORE INFILTRATED BY CRYPTO-STEALING WALLET APPS

Overview

A cluster of 26 malicious apps appeared in the Apple App Store and posed as well-known cryptocurrency wallets.
Targeted wallets included popular options such as Metamask, Coinbase, Trust Wallet, and OneKey.
The primary objective was to steal recovery or seed phrases and drain funds from compromised wallets.
The campaign employed deception techniques like typosquatting and fake branding to lure users in China.
Because official crypto apps are restricted in China, the attackers disguised the fraudulent offerings as games or calculator apps, aiming to bypass censorship.

Campaign Identification and Attribution

Kaspersky researchers identified all 26 fake apps as part of a single campaign labeled FakeWallet.
The FakeWallet operation is linked to the ongoing SparkKitty campaign, which has been active since the previous year.
The attack chain includes redirects to phishing pages designed to resemble legitimate crypto service portals.

Delivery and Lure Tactics

The malware relied on iOS provisioning profiles to sideload trojanized wallet apps onto users’ devices.
Provisioning profiles constitute a legitimate enterprise feature, which threat actors abused to bypass standard app installation controls.
Similar provisioning-based delivery was observed in the prior SparkKitty activity.
Once installed, the apps directed users to counterfeit sites that harvest seed phrases and other sensitive data.

In-App Phishing and Seed Phrase Interception

The trojanized apps contained additional code that intercepted mnemonic phrases during wallet setup or recovery sequences.
Collected phrases were encrypted using RSA and Base64 before being transmitted to the attacker.
For cold-wallet ecosystems (e.g., Ledger), attackers leveraged in-app phishing prompts to induce users to enter their seed phrases on fake security verification screens.
Seed phrases are intended solely for wallet porting or recovery to new devices and do not require extra confirmation or passwords; misuse permits attackers to reconstruct the victim’s wallet and drain funds.

Geographic Focus and Global Risk

Kaspersky’s observations indicate a primary focus on users in China.
The underlying malware architecture, however, has no built-in geographic restrictions, meaning it could affect users worldwide if operators broaden their targeting.

Incident Response and Current Status

Following responsible disclosure, Apple removed all 26 FakeWallet apps from the App Store.
Security researchers highlighted the risk and explained the mechanisms, while public inquiries about bypass techniques remained without an immediate company response at publication.

Related Security Context

A separate incident around the same timeframe involved a fraudulent Ledger app on Apple’s App Store that culminated in cryptographic losses of about $9.5 million from dozens of macOS users.
The broader ecosystem continues to see a pattern of counterfeit wallet interfaces and credential harvest tactics across multiple platforms.

Technical and Visual Artifacts

Phishing pages were designed to imitate legitimate Ledger and other wallet portals, leveraging familiar branding to lower skepticism.
Companion visuals circulated in security reports included fake onboarding and seed-phrase capture prompts, underscoring the social engineering aspect of the attack.

Campaign Scope and Future Risk

While current activity centers on China, the lack of geographic constraints in the malware design suggests the potential for broader deployment.
The convergence of typosquatting, provisioning abuse, and seed-phrase phishing represents a multifaceted threat vector that could resurface in future app-store ecosystems if not mitigated.

Contextual Summary

The incident exemplifies how legitimate security controls (like app-store vetting and provisioning profiles) can be repurposed by adversaries to bypass protections.
It also illustrates the critical danger of seed phrases, which, once captured, enable attackers to reconstruct and access wallets outside the victim’s control.
The rapid removal of the malicious apps by platform maintainers demonstrates the ongoing responsiveness of app-store ecosystems to exploit campaigns, even as new variants continue to emerge.

China's Apple App Store infiltrated by crypto-stealing wallet apps

Stay Updated

China's Apple App Store infiltrated by crypto-stealing wallet apps

Stay Updated