Full Report
Cybersecurity researchers have discovered a set of malicious apps on the Apple App Store that impersonate popular cryptocurrency wallets in an attempt to steal recovery phrases and private keys since at least fall 2025. "Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distribute trojanized versions of legitimate wallets," Kaspersky
Analysis Summary
# Incident Report: FakeWallet Malicious App Campaign
## Executive Summary
A cluster of 26 malicious iOS applications, dubbed **FakeWallet**, was discovered on the Apple App Store impersonating popular cryptocurrency wallets like MetaMask and Coinbase. The apps utilize browser redirects, trojanized libraries, and Optical Character Recognition (OCR) to steal mnemonic recovery phrases and private keys. Targeting primarily Chinese-speaking users, the campaign has been active since at least late 2025 and resulted in the unauthorized exfiltration of digital assets.
## Incident Details
- **Discovery Date:** April 24, 2026 (Public Disclosure)
- **Incident Date:** Fall 2025 – Ongoing
- **Affected Organization:** Various (Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, Trust Wallet users)
- **Sector:** Financial Services / Cryptocurrency
- **Geography:** Primarily China (apps restricted to the Chinese App Store region)
## Timeline of Events
### Initial Access
- **Date/Time:** Fall 2025
- **Vector:** Authorized App Store Downloads
- **Details:** Attackers uploaded 26 apps to the official Apple App Store using typosquatting (e.g., "LeddgerNew") or benign placeholders (games, task planners) to bypass initial review.
### Lateral Movement
- **Details:** N/A - This was a client-side mobile attack focused on endpoint compromise rather than enterprise network lateral movement.
### Data Exfiltration/Impact
- **Details:** Malicious modules hooked local code or served phishing pages to capture mnemonic phrases. Stolen credentials were exfiltrated to attacker-controlled Command and Control (C2) servers, leading to the draining of user funds.
### Detection & Response
- **Discovery:** Identified by Kaspersky researchers (Sergey Puzan).
- **Response Actions:** Disclosure to Apple; many malicious apps were subsequently removed from the App Store.
## Attack Methodology
- **Initial Access:** App Store distribution; typosquatting and "bait-and-switch" benign apps.
- **Persistence:** App installation on iOS via official App Store and enterprise provisioning profiles.
- **Defense Evasion:** Use of benign placeholders (calculators/games); redirecting users to external browsers to install trojanized payloads via enterprise profiles.
- **Credential Access:** Hooking code responsible for recovery phrase entry; phishing pages; Optical Character Recognition (OCR) to read seed phrases from images.
- **Collection:** Stealing mnemonic phrases from both "hot" (mobile) and "cold" (linked hardware) wallet interfaces.
- **Exfiltration:** Sending captured seeds/keys to external servers.
- **Impact:** Fraudulent transactions and total loss of cryptocurrency assets.
## Impact Assessment
- **Financial:** Severe; direct theft of cryptocurrency assets from victims. Total volume undisclosed.
- **Data Breach:** Theft of private keys and mnemonic phrases (the "master keys" to crypto wallets).
- **Operational:** Disruption of user access to legitimate financial services.
- **Reputational:** Damage to the perceived security of the Apple App Store ecosystem and the impersonated wallet brands.
## Indicators of Compromise
- **File Indicators:** Trojanized versions of Ledger, MetaMask, Coinbase, and Trust Wallet apps.
- **Behavioral Indicators:** Apps requesting installation of "Enterprise Provisioning Profiles"; apps redirecting to browser pages immediately upon launch; suspicious typos in app names (e.g., LeddgerNew).
- **Network Indicators:** [hxxps]://securelist[.]com/fakewallet-cryptostealer-ios-app-store/119474/ (Referenced Research).
## Response Actions
- **Containment:** Removal of identified apps from the Apple App Store.
- **Eradication:** Revocation of malicious enterprise provisioning profiles used for side-loading.
- **Recovery:** Users advised to move funds immediately to new, untainted wallets if they interacted with suspicious apps.
## Lessons Learned
- **Bypassing Review:** Attackers can bypass App Store security by uploading benign apps and "activating" malicious behavior via server-side links or updates.
- **Phishing Evolution:** The use of OCR to steal phrases from screenshots or camera inputs indicates a sophisticated shift in mobile malware capabilities.
- **Regional Targeting:** Attackers exploited regional App Store restrictions (China) to trick users into downloading "workaround" apps that were actually malicious.
## Recommendations
- **Source Verification:** Only download financial apps through official website links provided by the wallet developer.
- **Profile Security:** Never install "Enterprise" or "Configuration" profiles from unverified web sources on iOS.
- **Zero Trust for Seeds:** Never enter a 12/24-word recovery phrase into any digital interface unless performing a manual recovery on a known-legitimate device.
- **Visual Auditing:** Carefully inspect app names and developer details for typos or inconsistencies before downloading.