Kaspersky finds 26 fake wallets
- Kaspersky said on April 20 it found 26 fake iPhone wallet apps on Apple’s App Store that impersonated MetaMask, Ledger, Coinbase and Trust Wallet. - The apps pushed users to fake App Store pages, installed trojanized wallets through developer profiles, and stole recovery phrases that can empty accounts. - Most listings targeted China, where many real wallet apps are unavailable, but Kaspersky said the malware itself had no regional limits. (kaspersky.com)
A crypto wallet is the app or device that holds the keys to your coins, and a seed phrase is the backup that unlocks everything. Kaspersky said 26 fake iPhone wallet apps were caught on Apple’s App Store stealing those phrases. (kaspersky.com) (securelist.com) Kaspersky published the findings on April 20, 2026 and said the apps copied the names and icons of MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken and Bitpie. The company said the campaign had been active since at least fall 2025. (kaspersky.com) (securelist.com) Most of the listings appeared in China’s App Store, where official iOS versions of several wallet apps are unavailable if an Apple ID is set to the China region. Kaspersky said the attackers used that gap to rank fake apps in search results. (securelist.com) (kaspersky.com) The scam worked in two steps. First, the App Store listing looked harmless, sometimes dressed up as a game, calculator or to-do list, then it opened a web page that looked like Apple’s store and offered the “real” wallet download. (kaspersky.com) (bleepingcomputer.com) That second download used an iPhone feature called a provisioning profile, which companies normally use to install internal business apps outside the public store. Kaspersky said the attackers abused that feature to sideload trojanized wallet apps onto victims’ phones. (kaspersky.com) (bleepingcomputer.com) For hot wallets, the malicious code watched the setup or recovery screen and captured the seed phrase as the victim typed it. For hardware wallets like Ledger, Kaspersky said the apps used phishing screens that asked users to enter the phrase manually. (kaspersky.com) (bleepingcomputer.com) A seed phrase is not just a password reset. Anyone who has it can rebuild the wallet on another device and move the funds without the owner’s approval. (bleepingcomputer.com) (kaspersky.com) Kaspersky linked the campaign with moderate confidence to the SparkKitty operation, an earlier malware cluster that also used Apple’s enterprise distribution tools. The company said the fake-wallet campaign showed updated injection methods and new malicious modules. (kaspersky.com) (securelist.com) Apple removed 25 of the 26 apps before Kaspersky published its report, and the last app was later removed and the developer account terminated, according to BleepingComputer. Kaspersky said it had reported all of the apps to Apple. (bleepingcomputer.com) (kaspersky.com) Kaspersky’s advice was simple: check the developer name, use download links from a wallet maker’s official site, and never type a recovery phrase into a mobile app unless you are restoring a wallet you already trust. The fake apps looked close enough to the real thing that App Store placement alone was not a safety check. (kaspersky.com) (securelist.com)
