Fake Crypto Wallet Apps Found on Apple’s App Store

Kaspersky has flagged 26 fake crypto wallet apps on Apple’s App Store that were designed to steal recovery phrases and private keys, impersonating major wallet brands including MetaMask, Ledger, Trust Wallet, and Coinbase. The campaign, dubbed FakeWallet, highlights a persistent gap in app marketplace security that could leave iPhone users exposed to asset theft even on a platform widely considered safe.

Kaspersky Says 26 Fake Wallet Apps Reached Apple’s App Store

Kaspersky’s Securelist research team said it identified 26 phishing iOS apps in Apple’s App Store that impersonated well-known crypto wallets. The list of spoofed brands included MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie.

Apple App Store impostor apps
26
Kaspersky said it identified 26 phishing iOS apps on Apple’s App Store that mimicked major crypto wallets. Source: Securelist.

The FakeWallet campaign has likely been active since at least fall 2025, according to the report. That timeline suggests this was a sustained operation, not a one-off listing that slipped through review.

The fake apps used typosquatting, copied wallet icons, and disguised themselves as unrelated utilities such as calculators or games to bypass App Store filters. Once installed, they redirected users toward credential-harvesting flows.

Attribution to SparkKitty Remains Unconfirmed

Kaspersky linked the FakeWallet campaign to a previously documented operation called SparkKitty based on code overlap, delivery techniques, and Chinese-language artifacts. However, the researchers described this attribution as moderate confidence rather than conclusive proof, so the connection should be treated as an investigative lead rather than an established fact.

How the FakeWallet Attack Flow Could Steal Recovery Phrases and Keys

The attack chain started inside the App Store itself. A user searching for a wallet app could encounter a convincing impostor listing with a familiar icon and a plausible name. The app itself was not the final weapon.

Phishing Pages and Provisioning Profiles Did the Heavy Lifting

Once opened, the malicious App Store app loaded a phishing page styled to look like a legitimate Apple page. That page pushed users to install a second, trojanized wallet app through iOS provisioning profiles, a sideloading mechanism that bypasses normal App Store distribution.

The trojanized app was built to intercept or phish recovery phrases and private keys. As Kaspersky threat researcher Sergey Puzan noted, “By paying a fee and setting up a developer account, the attackers can target any iOS device if the user succumbs.”

A Stolen Seed Phrase Gives Attackers Full Control

A recovery phrase, typically 12 or 24 words, is the master key to a crypto wallet. Anyone who obtains it can reconstruct the wallet on a different device and transfer all funds. Unlike a compromised password, a leaked seed phrase cannot be reset.

Ledger’s official anti-phishing page states that Ledger and its support staff will never ask for a 24-word recovery phrase, and that the only legitimate download path for the Ledger Wallet app is directly from ledger.com. App Store presence alone is not proof that a wallet app is genuine.

Apple Removed the Apps, but the Incident Exposes a Discovery and Review Gap

Apple acted on the findings before Kaspersky published. The company removed 25 of the 26 malicious apps ahead of the report’s release, later removed the last remaining app, and terminated the associated developer account.

Those removals reduced immediate exposure, but they do not answer a harder question: how did 26 fake wallet apps pass App Store review and reach search results in the first place?

Apple’s Own Numbers Show the Scale of the Problem

Apple’s May 2025 fraud summary said the company reviewed more than 7.7 million App Store submissions in 2024, rejected more than 1.9 million, and removed more than 37,000 apps for fraudulent activity. It also removed nearly 9,500 deceptive apps from search results.

Those figures are large, but the FakeWallet case shows that determined attackers can still exploit gaps, particularly in the Chinese App Store where many official wallet apps are unavailable. That absence created a discovery vacuum that scammers filled with impostor listings, typosquatting their way into search results that real wallets could not occupy.

The incident is a reminder that platform-level enforcement and individual vigilance are both necessary. Broader questions about regulatory oversight of crypto platforms continue to surface across the industry as attack vectors multiply.

What the Incident Means for Crypto Users and What to Watch Next

No public victim count or confirmed loss total has been disclosed for the FakeWallet campaign. Without that data, the financial scale of the damage remains unknown.

The broader crypto market showed no significant reaction. Bitcoin traded around $78,625 at press time, up roughly 1.3% over 24 hours, while the Fear and Greed Index sat at 33, in “Fear” territory. The muted response aligns with the nature of the incident: this was a platform-security and distribution failure, not a protocol vulnerability or market-wide event.

Several watchpoints remain. Whether Apple discloses how the apps passed its review process could shape confidence in App Store security for financial applications. Wallet brands may issue fresh user alerts, and security researchers will be watching for similar campaigns targeting other app marketplaces. With institutional interest in Bitcoin continuing to grow, the attack surface for social engineering expands alongside adoption.

FAQ: How Can iPhone Users Spot Fake Crypto Wallet Apps?

Are all crypto wallet apps on the App Store safe?

No. The FakeWallet campaign demonstrated that malicious apps can pass App Store review by disguising themselves as unrelated utilities or using typosquatted names. Always verify the developer name, check the official wallet provider’s website for the correct download link, and be suspicious of apps with few reviews or a recent listing date.

What should I do if I entered my recovery phrase into a suspicious app?

Move your funds immediately. Use a trusted device and the official wallet app downloaded directly from the wallet provider’s website to create a new wallet with a new recovery phrase. Transfer all assets from the compromised wallet to the new one. A leaked recovery phrase cannot be changed; the only remedy is migration.

How can I verify I have the real wallet app?

Go directly to the wallet provider’s official website, such as metamask.io, ledger.com, or trustwallet.com, and follow the download link from there. Do not search the App Store by name alone. No legitimate wallet app or support channel will ever ask you to type your recovery phrase into a screen you did not initiate.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making any investment decisions.

admin

Tether Launches MDK for Bitcoin Mining Infrastructure

Tether Launches MDK for Bitcoin Mining Infrastructure

Bybit Lists GOOGL Futures Contract: What Traders Should Know

Bybit Lists GOOGL Futures Contract: What Traders Should Know

Western Union Stablecoin Launch Planned for Next Month

Western Union Stablecoin Launch Planned for Next Month

Bybit CEO Says MiCA License Alone Not Enough for Profit in Europe

Bybit CEO Says MiCA License Alone Not Enough for Profit in Europe

Michael Saylor Signals Strategy May Buy More Bitcoin

Michael Saylor Signals Strategy May Buy More Bitcoin

Bitwise Avalanche ETF (BAVA) Begins Trading on NYSE

Bitwise Avalanche ETF (BAVA) Begins Trading on NYSE

Leave a Reply

Your email address will not be published. Required fields are marked *