A new cybersecurity report has revealed that 26 malicious apps managed to infiltrate Apple’s App Store by posing as legitimate cryptocurrency wallets, putting users at serious risk of losing their funds.
The apps impersonated well-known services like MetaMask, Coinbase, Trust Wallet, and OneKey, to steal sensitive recovery or seed phrases used to access crypto assets.
According to researchers at Kaspersky, all of these apps are part of a coordinated campaign known as FakeWallet, which is linked to an ongoing operation called SparkKitty. The attackers used convincing tactics such as fake branding and slight spelling variations in app names to trick users into downloading them.
The campaign appears to have primarily targeted users in China, where access to crypto related apps is restricted. To bypass scrutiny and appeal to users, the malicious apps were disguised as harmless tools like games or calculator apps. This likely made them seem like unofficial workarounds to access banned services, increasing the chances of downloads.
Once installed, the apps redirected users to phishing websites designed to closely mimic official crypto platforms. These fake sites then encouraged victims to install compromised wallet apps using Apple’s provisioning profile system, a legitimate enterprise feature that can be misused to sideload apps outside the normal App Store process.
The real danger came during wallet setup or recovery. The trojanized apps were built to intercept seed phrases, which are essentially the master keys to a crypto wallet. These phrases were encrypted and sent directly to the attackers. In some cases, users were also tricked into manually entering their seed phrases through fake verification screens, especially when interacting with cold wallet interfaces like Ledger.
Because seed phrases allow full access to a wallet without additional authentication, attackers can use them to restore the wallet on another device and transfer all funds, often with no way for victims to recover their assets.
Although the campaign focused on China, the underlying malware has no geographic limitations, meaning users in other regions could be affected if the attackers expand their reach.
Following responsible disclosure by Kaspersky, Apple has removed all 26 malicious apps from the App Store. However, the incident raises concerns about how these apps were able to bypass Apple’s review process in the first place.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Users are strongly advised to verify app publishers carefully, download apps only through official links provided by trusted services, and never share or enter their seed phrases outside of verified wallet environments. Even apps from official stores should be approached with caution when dealing with sensitive financial information.
