Kaspersky finds App Store wallet clones

Kaspersky said on April 27 that attackers used Apple’s App Store to distribute fake crypto-wallet apps that funneled users into wallet-stealing installs. (kaspersky.com) The security company said it found 26 phishing apps impersonating MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken and Bitpie. Most were listed for Chinese iPhone users, where several official wallet apps are unavailable in the local store. (kaspersky.com 1) (kaspersky.com 2) The fake listings were not empty shells. Kaspersky said the developers added simple functions such as games, calculators and to-do lists so the apps could look legitimate during review. (kaspersky.com 1) (kaspersky.com 2) After launch, the apps opened a web page made to look like the App Store and told users to install the “real” wallet. Kaspersky said that step pushed victims to add a developer provisioning profile, which lets software be sideloaded outside the App Store. (kaspersky.com 1) (kaspersky.com 2) That matters because a wallet’s seed phrase is the master key to the funds inside it. Kaspersky said the trojanized wallet variants watched wallet setup screens and captured seed phrases that could give attackers full control of the assets. (kaspersky.com) Kaspersky said the same campaign also targeted Mac users with altered installers for legitimate crypto apps. In that version, victims downloaded a tampered macOS build that could carry trojan code instead of the genuine wallet software. (kaspersky.com) The company linked the iPhone campaign with “moderate confidence” to the operators behind SparkKitty, a mobile stealer Kaspersky disclosed in June 2025. SparkKitty previously appeared in App Store and Google Play apps tied to crypto and gambling. (kaspersky.com) (kaspersky.com) Apple’s App Review Guidelines say the company reviews every app and scans for malware and other software that could affect safety, security and privacy. Kaspersky’s report shows attackers can still use lookalike branding and post-install redirects to move victims outside that review layer. (developer.apple.com) (kaspersky.com) Kaspersky said it reported the malicious apps to Apple after tracing activity back to at least fall 2025. The thread running through the campaign is simple: the App Store listing built trust, and the theft happened after users followed the next prompt. (kaspersky.com)