Apple App Store hosts 26 fake wallets

Crypto wallet apps are supposed to be the safe layer between you and a very unsafe asset class. But this week’s story is the opposite — 26 fake wallet apps made it into Apple’s App Store in China and were built to steal the one secret that matters most: your recovery phrase. Once an attacker has that phrase, the theft is basically irreversible. Apple removed the apps after Kaspersky flagged them, but the bigger point is uglier — “it was in the App Store” is not the safety guarantee people think it is. ### What were these apps pretending to be? They copied the branding of real crypto products people already trust — MetaMask, Coinbase Wallet, Trust Wallet, TokenPocket, imToken, Bitpie, TronLink, and OneKey. The campaign used typos, lookalike names, and fake logos to make the listings feel official enough for a quick install. ### Why target China’s App Store? Because crypto apps are restricted there, the attackers leaned into the weirdness instead of hiding it. Some listings showed up as games or calculator apps, which could plausibly look like a workaround users might expect in a restricted market. That made the scam feel less suspicious, not more. ### How did the theft actually work? The trick was not some exotic iPhone jailbreak. It was phishing with better packaging. The apps pushed users to pages that looked like legitimate wallet setup or recovery flows. Then they asked for the mnemonic seed phrase — the string of words that restores. Malicious code could intercept the phrase during setup or recovery and send it back to the attacker. ### Why is the seed phrase such a disaster point? Because it is the master key. A password can often be reset. A card can be frozen. A seed phrase is different — if someone gets it, they can recreate the wallet elsewhere and move the assets out. There is no chargeback desk for that. Think of it less like stealing your login and more like stealing the deed to the house. ### Was this one-off sloppiness? Not really. Kaspersky tied the apps to a broader operation it calls FakeWallet and linked that cluster to SparkKitty, an ongoing campaign seen before. And just days earlier, a separate fake Ledger Live app on Apple’s macOS App Store stole about $9.5 million from Apple’s review process. ### Didn’t Apple say the App Store is heavily policed? Yes — and both things can be true. Apple says it blocked nearly 2 million risky app submissions in 2024, terminated more than 146,000 developer accounts over fraud concerns, and prevented over $2 billion in potentially fraudulent transactions that year. That tells you the filter is huge. But it also tells you attackers keep testing it, and sometimes they get through. ### So what should users actually do? Start from the wallet company’s own website, not App Store search. Check the developer name, not just the app name and icon. Never enter a recovery phrase because an app “needs to verify” it. Real wallet vendors do not need that phrase for routine checks. And if a crypto app looks oddly disguised as a calculator or utility, treat that as a red flare, not a clever hack. ### Bottom line The lesson is simple but harsh — app-store distribution lowers friction for attackers too. In crypto, one fake prompt can be enough to wipe you out.