FakeWallet Malware Surges in App Store: Crypto Thieves Exploit Regional Gaps
Breaking: Over 20 Phishing Apps Found on Apple App Store Stealing Crypto Wallet Keys
Security researchers have uncovered more than two dozen malicious apps on the Apple App Store that masquerade as legitimate cryptocurrency wallets. The apps, active since at least fall 2025, redirect users to fake App Store pages that deliver trojanized wallet software designed to steal recovery phrases and private keys.
"This is a highly organized campaign that has evolved significantly from earlier iterations," said a Kaspersky security researcher. "The attackers are using new distribution methods through the official App Store itself, making them harder to spot."
How the Attack Works
Once a user installs one of these fake apps, it immediately redirects them to a browser page that mimics the App Store. That page then prompts the download of a trojanized version of a real wallet app—such as MetaMask, Ledger, or Trust Wallet.
"The fake apps often have convincing icons and names with minor typos, a technique known as typosquatting, to evade Apple’s review process," explained the researcher. The malicious payload then captures any recovery phrases or private keys entered by the user.
Background: A Resurgent Threat
The same attack pattern was first documented by ESET in 2022, when compromised wallets spread via phishing sites using iOS provisioning profiles. Now, four years later, the method has been revived with upgraded malicious modules and injection techniques.
Kaspersky is tracking the malware under the signatures HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*. The campaign appears to target Chinese App Store users because many official cryptocurrency wallet apps are region-restricted in China.
"Scammers are exploiting these restrictions by promoting fake versions that claim the real wallet is unavailable," the researcher noted. "They use stub apps—functional placeholders like simple games or calculators—to appear legitimate and bypass App Store checks."
Wallets Targeted
Investigators identified 26 phishing apps imitating these major wallets:
- MetaMask
- Ledger
- Trust Wallet
- Coinbase
- TokenPocket
- imToken
- Bitpie
Apple has been notified, and several of the malicious apps have already been removed. However, security analysts warn that a second batch of similar apps has been found on the store that currently lacks phishing functionality—likely waiting to be activated in a future update.
What This Means
This discovery underscores a growing threat to mobile crypto users, even on Apple’s relatively locked-down platform. Attackers are now able to plant trojanized wallets directly on the App Store, bypassing many users’ trust in Apple’s vetting process.
"Users should always double-check the developer name, reviews, and download source before installing any wallet app," urged the Kaspersky researcher. And if an app immediately asks for recovery phrases or redirects you to a browser, it is almost certainly a scam.
The incident also highlights how regional App Store restrictions create security risks by limiting access to official apps, forcing users toward unofficial alternatives that may be malicious. As cryptocurrency gains global adoption, such exploits are likely to become more frequent and sophisticated.