Apple App Store hosts 26 fakes
- Kaspersky said Apple’s App Store carried 26 fake crypto wallet apps that mimicked MetaMask, Ledger, Coinbase and Trust Wallet to lure iPhone users. - The apps were found in March, topped some Chinese App Store searches, and pushed victims to install trojanized wallets via sideloading profiles. - The campaign has run since at least fall 2025 and was linked to SparkKitty operators. (kaspersky.com)
Kaspersky said 26 fake cryptocurrency wallet apps made it into Apple’s App Store and were used to steer iPhone users toward wallet-stealing malware. (kaspersky.com) The counterfeit apps copied the names and icons of MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken and Bitpie, according to Kaspersky’s April 20 disclosure. (kaspersky.com) Kaspersky said it found the apps in March 2026, including some that appeared near the top of Chinese App Store search results for wallet tools. (kaspersky.com) A crypto wallet is the app or device that holds the keys needed to move digital coins. A recovery phrase is the master backup; if thieves get it, they can rebuild the wallet and empty it. (kaspersky.com) The App Store listings did not directly steal funds, Kaspersky said. They worked as bait, opening a web page made to look like Apple’s store and prompting users to install a second, compromised wallet app. (kaspersky.com) That second step asked victims to add a provisioning profile, which lets an iPhone install software from outside the App Store. Kaspersky said the attackers used Apple’s enterprise-style distribution path to sideload the trojanized wallets. (kaspersky.com) (securelist.com) Kaspersky said the malicious wallet builds were tailored to each brand they impersonated. On hot wallets, the malware watched for seed phrases; on cold-wallet tools, it tried to capture credentials and wallet data during setup or import. (kaspersky.com) (securelist.com) Most of the phishing apps were available only to Chinese iOS users because several official wallet apps are not offered in China’s App Store, Kaspersky said. The company also said the fake apps themselves had no regional restriction, leaving users outside China exposed if they found them. (kaspersky.com) To pass review, the developers added simple functions such as games, calculators and task planners, Kaspersky said. Some other similar apps had not yet turned on phishing features, suggesting the campaign was still expanding through updates. (kaspersky.com) Kaspersky said the operation has been active since at least fall 2025 and attributed it with moderate confidence to the group behind SparkKitty. The finding leaves Apple’s App Store badge as a weak signal for crypto wallet imports when the app hands users off to the web and sideloading prompts. (kaspersky.com)
