26 Fake Cryptocurrency Wallet Apps Discovered on Apple App Store Targeting Seed Phrases
Cybersecurity researchers have uncovered a sophisticated campaign involving 26 malicious apps on Apple’s App Store designed to steal crypto wallet recovery phrases and private keys.
Cybersecurity experts from Kaspersky have identified a series of fraudulent applications on the Apple App Store that have been active since at least fall 2025. These apps impersonate popular cryptocurrency wallets with the goal of stealing users’ recovery phrases—also known as seed phrases—and private keys to gain unauthorized access to their digital assets.
What Are FakeWallet Apps?
The malicious apps, collectively referred to as FakeWallet, mimic well-known cryptocurrency wallet brands including Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet. Upon launching, these apps redirect users to browser pages crafted to resemble the official App Store, where users are then prompted to download trojanized, or maliciously modified, versions of legitimate wallets.
Sergey Puzan, a researcher at Kaspersky, explained the modus operandi: “The infected apps are specifically engineered to hijack recovery phrases and private keys.” These phrases and keys are crucial credentials that allow full control over crypto wallets, making them prime targets for theft.
How Do the FakeWallet Apps Work?
These fake apps often use icons and names nearly identical to authentic wallets, with subtle typos inserted to trick users—for example, “LeddgerNew” instead of “Ledger.” Some apps even disguise themselves under non-cryptocurrency names and icons, such as games or calculators, to avoid suspicion. They claim to help users download official wallet apps that are purportedly “unavailable in the App Store” due to regulatory restrictions.
In other cases, once launched, the app directs users through enterprise provisioning profiles to install the genuine wallet app—but after installing a malicious module that captures seed phrases.
Kaspersky researchers discovered that the malware modules vary per targeted wallet, usually injected via malicious library code but sometimes by altering the original app source code. The apps then hook into the code responsible for screens where users enter their recovery phrases or present phishing web pages to trick users into submitting their sensitive data as a “verification” step.
Impact and Actions Taken
The stolen recovery phrases allow attackers to take full control over victims’ wallets, potentially draining them of cryptocurrencies or initiating fraudulent transactions.
Apple has responded by removing many of the identified FakeWallet apps from the App Store, especially those accessible to users with Apple accounts set to China. Significantly, no evidence has been found that these fake apps were distributed through the Google Play Store.
The campaign bears similarities to the earlier SparkKitty Trojan campaign targeting crypto wallets, also suspected to involve threat actors fluent in Chinese. Notably, some FakeWallet apps use optical character recognition (OCR) modules to steal wallet data, a technique previously seen in SparkKitty-associated malware.
Related Threat: MiningDropper Android Malware Framework
Concurrently, cybersecurity firm Cyble has revealed a complex Android malware framework called MiningDropper (also known as BeatBanker). MiningDropper combines cryptocurrency mining, information theft, remote access, and banking malware in multifaceted attacks primarily targeting users in India, Latin America, Europe, and Asia.
MiningDropper is distributed via trojanized versions of legitimate open-source Android projects and uses layered encryption and obfuscation techniques—such as XOR-based native obfuscation, AES-encrypted payloads, dynamic DEX loading, and anti-emulation methods—to evade detection.
Cyble notes this modular design allows the threat actors to adapt the malware’s functionality while reusing the distribution framework across numerous campaigns, enhancing their ability to monetize their attacks.
What Can Users Do?
- Verify app authenticity: Always download cryptocurrency wallets from official sources and check developer credentials carefully.
- Be cautious of app names and icons: Look out for typographical errors or unusual names.
- Never share seed phrases: Legitimate wallets or services will never ask you to reveal your recovery phrases.
- Keep software updated: Regularly update your device’s operating system and apps to benefit from security patches.
- Use two-factor authentication: Where possible, enable multi-factor authentication to add a layer of protection.
This discovery underscores the increasing sophistication of cybercriminal tactics targeting cryptocurrency holders, particularly on mobile platforms. Users are urged to exercise heightened vigilance to protect their assets against evolving threats.
For ongoing updates on cybersecurity threats and expert insights, follow trusted sources such as Kaspersky, Cyble, and The Hacker News.
Ravie Lakshmanan
April 24, 2026
Stay informed:
Follow us on Google News, Twitter, and LinkedIn for more exclusive cybersecurity news and alerts.