26 Fake Cryptocurrency Wallet Apps Discovered on Apple App Store Targeting Seed Phrases
By Ravie Lakshmanan – April 24, 2026
Cybersecurity researchers have uncovered a sophisticated campaign involving 26 fake cryptocurrency wallet applications distributed through Apple’s App Store, aimed at stealing users’ recovery phrases and private keys. This malicious operation, active since at least the fall of 2025, poses a severe threat to crypto asset holders, especially those whose Apple accounts are set to China.
FakeWallet Campaign Targets Popular Crypto Wallet Users
The fraudulent apps, collectively named FakeWallet, impersonate some of the most widely used cryptocurrency wallets including Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet. These counterfeit apps are cleverly designed with icons closely resembling the legitimate wallets but include subtle typographical errors in their names (for example, “LeddgerNew”) to deceive users into downloading them.
Once installed, the apps redirect users to browser-based phishing pages mimicking the Apple App Store interface. These pages then distribute trojanized versions of genuine wallet software embedded with malware engineered to hijack users’ critical information. According to Sergey Puzan, a researcher at cybersecurity firm Kaspersky, “The infected apps are specifically engineered to hijack recovery phrases and private keys."
Malware Delivery and Techniques
Unlike earlier instances where malicious crypto wallets were spread via fraudulent websites exploiting iOS provisioning profiles, the FakeWallet scheme has evolved. It involves direct availability on Apple’s official App Store, specifically for users in China, circumventing many standard protections.
In some masquerades, the apps bear no obvious relation to cryptocurrency and pose as benign services such as games, calculators, or task planners. However, they serve as conduits to install the malicious wallets, allegedly because the official wallets are claimed to be “unavailable in the App Store” due to local regulations.
Kaspersky’s investigation revealed that some apps linked to this threat actor did not yet have active malicious components but mirrored benign applications, possibly as a staging ground for future attacks.
The implanted malware utilizes multiple sophisticated tactics: malicious library injections, code modifications of the original wallet source, and hooking into the user interface where seed phrases are entered to silently capture them. Seed phrases are sometimes harvested via optical character recognition (OCR) modules or by serving phishing prompts requiring users to enter their recovery phrases supposedly for verification.
Potential Attribution to SparkKitty Campaign
Based on overlapping techniques and the use of optical character recognition technology, experts suspect the campaign may be connected to the SparkKitty trojan attacks observed last year. Both campaigns share linguistic traits indicating native Chinese speakers and focus on compromising cryptocurrency assets.
Kaspersky remarked, “The FakeWallet campaign is gaining momentum by employing new tactics, ranging from delivering payloads via phishing apps published in the App Store to embedding themselves into cold wallet apps and using sophisticated phishing notifications to trick users into revealing their mnemonics.”
Following the disclosure, Apple has removed these 26 malicious apps from its App Store. There is no evidence to suggest these counterfeit applications were ever distributed via the Google Play Store.
Concurrent Android Threat: MiningDropper Malware Framework
In related developments, cybersecurity firm Cyble has exposed a complex Android malware delivery framework known as MiningDropper (also called BeatBanker), targeting users primarily in India, Latin America, Europe, and Asia. This Trojan combines cryptocurrency mining, information theft, remote access, and banking malware functionalities.
MiningDropper spreads through trojanized versions of legitimate open-source Android applications, such as Lumolight, and is propagated via fraudulent websites impersonating banks and transport offices. Its multi-layered payload employs XOR-based obfuscation, AES encryption, dynamic DEX loading, and anti-emulation techniques to avoid detection and analysis. This modular architecture allows threat actors to customize final payloads according to operational needs.
Protection and Awareness
Users are strongly advised to exercise caution when downloading cryptocurrency wallet applications, especially those with slightly misspelled names or inconsistent branding. Always verify app publishers and download wallets from official sources and verified channels. Avoid entering seed phrases or private keys into prompts outside the official wallet app interface.
This latest discovery underscores the persistent and evolving threats targeting crypto users and highlights the importance of vigilance, robust app vetting by platform owners, and continuous cybersecurity research.
Stay updated with the latest cybersecurity news and expert insights by following us on Google News, Twitter, and LinkedIn.
Tags: Apple App Store, Cryptocurrency, Malware, Phishing, Cybersecurity, FakeWallet, Seed Phrase Theft, MiningDropper, Android Malware