Quick Facts
- Category: Finance & Crypto
- Published: 2026-05-04 19:58:17
- Crafting a Smart Emoji Generator in the Terminal with GitHub Copilot CLI
- FDA Targets Weight Loss Drug Compounding: 8 Key Facts You Need to Know
- SPIFFE: The Identity Standard for Autonomous AI and Non-Human Entities
- Giant PC Case Doubles as a Living Space — Chinese Builder Creates Human-Sized Gaming Rig with Air Conditioning
- How to Foster Amiability in Online Communities: Lessons from the Vienna Circle
Breaking: Crypto-Stealing Apps Infiltrate Official App Store
A major phishing campaign has been discovered flooding the Apple App Store with over 20 counterfeit cryptocurrency wallet apps, designed to steal users' private keys and recovery phrases. Kaspersky researchers identified the malicious apps in March 2026, but evidence suggests the operation has been active since at least fall 2025.
“These fake apps mimic popular wallets like MetaMask, Ledger, and Trust Wallet, then redirect users to phishing sites that distribute trojanized versions,” said Dmitry Bestuzhev, a senior security researcher at Kaspersky. “Once installed, they hijack recovery phrases and give attackers full control over victims’ funds.”
Background
This is not a new tactic. In 2022, ESET researchers reported similar attacks using iOS provisioning profiles to install malware on iPhones, targeting major hot wallets. Four years later, the same scheme has resurfaced with new malicious modules and updated injection techniques, now distributed through official App Store listings.
The latest wave primarily targets users in China, where many legitimate crypto wallet apps are region-restricted and unavailable on the App Store. Attackers exploit this gap by creating fake apps with typosquatted names (e.g., “Ledger Wallet” instead of “Ledger Live”) and identical icons to deceive users.
Kaspersky’s investigation uncovered 26 malicious apps mimicking MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. The apps often feature functional stubs—such as a game or calculator—to appear legitimate, while the phishing functionality is hidden in promotional banners urging users to download “the official wallet” via in-app browser pages.
What This Means
For crypto users, the risk is immediate: any app claiming to be a wallet on the App Store could be fraudulent. Attackers have already stolen recovery phrases from victims, granting them permanent access to cryptocurrency holdings. “Even if you download from the official store, always verify the developer name and check for suspicious permissions,” Bestuzhev warned.
Apple has removed several of the flagged apps after Kaspersky’s report, but other linked apps remain on the store with no phishing functionality—yet. “These are likely sleeper apps waiting for a future update to activate malware,” Bestuzhev added. As seen in previous campaigns, attackers often use incremental updates to bypass review.
Key Details of the Campaign
- Target: iOS users in China and globally; major hot wallets like MetaMask, Coinbase, Trust Wallet
- Method: Phishing apps on App Store redirect to fake browser pages distributing trojanized wallet versions
- Indicators: Typos in app names, promotional banners claiming official wallet is “unavailable”, functional stub apps
- Detection: Kaspersky detects as HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*
Users are advised to only download wallet apps from official websites, enable two-factor authentication, and never enter recovery phrases into any app. Apple has not yet commented on additional security measures, but the incident calls into question the efficacy of the App Store’s review process for region-restricted markets.