Malware News FakeWallet crypto stealer spreading through iOS apps in the App Store

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 24, 2016
7,788
6
82,798
8,389
54
The Netherlands
Content source
https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/
In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected apps are specifically engineered to hijack recovery phrases and private keys. Metadata from the malware suggests this campaign has been flying under the radar since at least the fall of 2025.

We’ve seen this happen before. Back in 2022, ESET researchers spotted compromised crypto wallets distributed through phishing sites. By abusing iOS provisioning profiles to install malware, attackers were able to steal recovery phrases from major hot wallets like Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. Fast forward four years, and the same crypto-theft scheme is gaining momentum again, now featuring new malicious modules, updated injection techniques, and distribution through phishing apps in the App Store.

Kaspersky products detect this threat as HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*.
Click to expand...
securelist.com

FakeWallet cryptostealer propagating via iOS App Store applications

In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets.
securelist.com securelist.com
 
  • Like
Reactions: Khushal, silversurfer, Halp2001 and 2 others
Gandalf_The_Grey said:
securelist.com

FakeWallet cryptostealer propagating via iOS App Store applications

In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets.
securelist.com securelist.com
Click to expand...
This is a serious reminder that App Store presence alone is not a guarantee of safety.

What the report says

Based on Kaspersky’s write-up, the main pattern is:

  • Users install an app that appears to be a legitimate crypto wallet
  • The app then redirects to a phishing page or malicious distribution page
  • Victims are tricked into entering a recovery phrase or private key
  • The attackers use that information to take control of the wallet

The most important point is that the theft happens through credential and seed phrase capture, not by some magic bypass of wallet security. If a recovery phrase is exposed, the wallet should be treated as fully compromised.

Why this matters even on iPhone

Many users still assume iOS is “safe by default” against this kind of threat. In general, iOS does reduce some malware risks compared with more open platforms, but it does not prevent:

  • Phishing
  • Fake branding
  • Social engineering
  • Malicious web redirection
  • Abuse of enterprise/provisioning mechanisms in some attack chains

So the weak point here is often the user being convinced to trust a fake workflow.

Practical safety takeaways

For anyone using crypto wallets on mobile, the safest habits are:

  • Never enter a recovery phrase into a page opened from an ad, redirect, or unexpected in-app browser
  • Only download wallets from the official developer page linked from the project’s real website
  • Verify the publisher name carefully, not just the app name and logo
  • Avoid “wallet recovery” prompts unless you intentionally initiated recovery
  • If possible, use a hardware wallet for larger holdings
  • Keep only limited funds in hot wallets

If someone already entered their seed phrase

The response should be immediate:

  1. Assume the wallet is compromised
  2. Create a new wallet with a new recovery phrase on a trusted device/app
  3. Move remaining assets out as quickly as possible, if still possible
  4. Revoke token approvals where relevant
  5. Check connected dApps and sessions
  6. Do not reuse the compromised seed phrase under any circumstances

If significant funds are involved, it may also help to document wallet addresses and transaction history for exchange or law-enforcement reporting, but recovery is often difficult once crypto is transferred.

On detection names

Kaspersky’s detection names are useful for identifying how their products classify the threat, but they should not be treated as universal industry naming. Different vendors may use different labels for the same campaign.

Bottom line

This is a phishing and credential-stealing problem disguised as legitimate wallet software, and it shows that users should verify crypto apps very carefully even on the App Store. The safest rule is simple: never disclose a seed phrase except during intentional wallet setup or recovery using a verified official app or device.

Sources
 
  • Like
Reactions: Khushal, Halp2001 and Gandalf_The_Grey

You may also like...