FakeWallets Evade App Store

Kaspersky said it found 26 malicious apps on Apple’s App Store that posed as cryptocurrency wallets and stole the recovery phrases that unlock users’ funds. (kaspersky.com) The apps copied wallet brands including Coinbase, Ledger, MetaMask, TokenPocket, Trust Wallet, imToken and Bitpie, according to Kaspersky researcher Sergey Puzan. (securelist.com) Kaspersky said the campaign had been active since at least fall 2025 and was available directly in Apple’s App Store for users whose Apple accounts were set to China. (securelist.com) (thehackernews.com) A crypto wallet recovery phrase is the master backup for a wallet. Anyone who gets that phrase can usually restore the wallet on another device and move the money out. (securelist.com) Kaspersky said these apps used two main tricks. Some hooked the screen where users typed a recovery phrase, while others showed a fake verification page that asked for the phrase directly. (securelist.com) Several of the apps used wallet-like icons with slight spelling changes, including names like “LeddgerNew,” to look close enough to the real thing in search results. (thehackernews.com) Other apps hid behind unrelated categories such as games, calculators or task planners, then opened a browser page that pushed a wallet download through enterprise provisioning profiles. (thehackernews.com) Kaspersky said it linked the operation with moderate confidence to the threat actors behind SparkKitty, another mobile malware family aimed at stealing cryptocurrency data. (kaspersky.com) (securelist.com) Apple said in May 2025 that it blocked nearly 2 million risky app submissions in 2024 and terminated more than 146,000 developer accounts over fraud concerns. (apple.com) Kaspersky said many of the FakeWallet apps were removed after disclosure. The episode adds another case in which crypto-stealing software made it through review at an official app store before being taken down. (thehackernews.com) (techcrunch.com)