Full Report
A set of 26 malicious apps on Apple App Store impersonate popular wallets, such as Metamask, Coinbase, Trust Wallet, and OneKey, to steal recovery or seed phrases and drain them of cryptocurrency assets. [...]
Analysis Summary
# Incident Report: Campaign "FakeWallet" - Malicious Crypto-Wallets on iOS
## Executive Summary
A sophisticated campaign involving 26 malicious apps successfully bypassed Apple App Store verification to target cryptocurrency users, primarily in China. The apps impersonated legitimate wallets (Metamask, Coinbase, Ledger) to steal seed phrases and drain assets. Apple has since removed the identified applications following discovery by Kaspersky.
## Incident Details
- **Discovery Date:** April 20, 2026 (Public disclosure)
- **Incident Date:** Active since 2025 (Associated with SparkKitty operation)
- **Affected Organization:** Users of Apple iOS devices
- **Sector:** Financial / Cryptocurrency
- **Geography:** Primarily China, with global potential
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing since late 2025.
- **Vector:** Apple App Store (official marketplace).
- **Details:** Attackers uploaded 26 apps disguised as games or calculators to bypass regional restrictions and Apple’s review process. They used typosquatting and fake branding to lure users.
### Lateral Movement
- **N/A:** This was a direct-to-consumer mobile malware attack; movement occurred through redirection from the fake apps to phishing portals and the installation of malicious iOS provisioning profiles.
### Data Exfiltration/Impact
- **Impact:** Seed phrases and recovery mnemonics were intercepted.
- **Mechanics:** Malicious code within trojanized apps captured keystrokes/input during wallet setup, encrypted the data (RSA + Base64), and transmitted it to attacker-controlled servers.
### Detection & Response
- **Detection:** Identified by Kaspersky researchers who linked the activity to the "SparkKitty" operation.
- **Response:** Responsible disclosure was made to Apple; all 26 identified apps were subsequently removed from the App Store.
## Attack Methodology
- **Initial Access:** App Store infiltration using deceptive categories (Games/Calculators) and typosquatting.
- **Persistence:** Abuse of iOS provisioning profiles (enterprise features) to sideload and maintain trojanized apps.
- **Defense Evasion:** Using Benign-to-Malicious "bait and switch" (disguising apps as calculators); encrypting exfiltrated data with RSA/Base64.
- **Credential Access:** Phishing screens and intercepted mnemonic phrases during wallet recovery/creation.
- **Collection:** Interception of manual inputs for seed phrases.
- **Exfiltration:** Data sent via HTTP/HTTPS to remote C2 after encryption.
- **Impact:** Unauthorized restoration of wallets on attacker devices and total drain of crypto-assets.
## Impact Assessment
- **Financial:** High; individual losses in similar incidents have reached $9.5 million.
- **Data Breach:** Compromise of private keys and recovery seeds for thousands of wallets.
- **Operational:** Disruption for users who lost access to life savings/assets.
- **Reputational:** Damage to Apple App Store's "walled garden" security reputation and trusted crypto-wallet brands.
## Indicators of Compromise
- **Network indicators:** Redirections to phishing domains (e.g., fake Ledger portals).
- **File indicators:** Malicious iOS provisioning profiles installed on devices.
- **Behavioral indicators:** Non-functional "Calculator" or "Game" apps requesting crypto-seed phrases; prompts to install "Enterprise" profiles from the web.
## Response Actions
- **Containment:** Removal of the 26 malicious apps from the official Apple App Store.
- **Eradication:** Revocation of the abused enterprise provisioning profiles.
- **Recovery:** Users advised to move funds to new, hardware-secured wallets if they interacted with these apps.
## Lessons Learned
- **Marketplace Trust:** Official app stores are not immune to malicious uploads, specifically through "bait and switch" category tactics.
- **Abuse of Enterprise Features:** Provisioning profiles remain a significant blind spot for iOS security when leveraged by social engineering.
- **Regional Targeting:** Attackers capitalized on Chinese crypto restrictions to make "stealthy" apps seem like legitimate bypass tools.
## Recommendations
- **Verification:** Always use direct download links from official websites (e.g., metamask[.]io) rather than searching the App Store manually.
- **Hardware Wallets:** Use cold storage where seed phrases are never entered into an internet-connected device.
- **MDM Awareness:** Users should never install "Provisioning Profiles" or "Configuration Profiles" from unknown sources.
- **Enhanced Review:** Apple should implement stricter heuristic analysis for apps that change behavior or redirect to crypto-related phishing after installation.