New Wave of Fake Crypto Wallets Hits Apple App Store, Stealing Recovery Phrases

Urgent Warning: Over 20 Phishing Apps Found in App Store

Security researchers have uncovered more than 20 malicious apps in the Apple App Store that pose as legitimate cryptocurrency wallets. The apps hijack recovery phrases and private keys once installed, according to a report from Kaspersky’s threat intelligence team.

The apps redirect users to fake browser pages mimicking the App Store and distribute trojanized versions of popular wallets. Kaspersky detects the threat as HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*.

How the Attack Works

Attackers use a technique called typosquatting—registering app names with intentional misspellings of legitimate wallet names—and matching icons to deceive users. After download, the apps show functional placeholders, like a game or calculator, to appear authentic.

“The stub is a deliberate decoy,” says Dmitry Galov, a Kaspersky security expert. “Once the user is lulled into trusting the app, the real malware triggers—a script that steals their wallet credentials.”

Background: A Resurgent Threat with New Tricks

This is not a new attack vector. In 2022, ESET researchers discovered similar phishing campaigns distributing trojanized crypto wallets via malicious iOS provisioning profiles. The current campaign, however, introduces new malicious modules and injection techniques, and has been active since at least fall 2025.

“Attackers are evolving faster than ever,” explains Galov. “They are exploiting the same trust model but with better camouflage and wider distribution.”

Wallets Targeted and Regional Spotlight

The phishing apps impersonate major wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. The campaign primarily targets users in China, where official wallet apps are unavailable due to Apple ID regional restrictions.

“Scammers are seizing on the vacuum,” says Kaspersky analyst Anna Sokolova. “When legitimate tools vanish, fake ones rush in.”

What This Means for Users

Anyone who installed a crypto wallet app from the App Store in recent months should immediately verify its authenticity. Officials urge users to check developer names, download counts, and reviews—only install apps from known official publishers.

Kaspersky has reported all 26 identified malicious apps to Apple, and several have already been removed. However, the report warns that similar apps still active may only be awaiting a future update to enable their phishing components.

For a full technical breakdown, see the background section.

If You Suspect Infection

• Immediately uninstall any suspicious wallet app.
• Change all passwords and enable two-factor authentication on your crypto accounts.
• Transfer funds to a new, verified wallet.

“The bottom line: do not trust apps blindly,” says Sokolova. “Even the App Store’s review process can be bypassed with clever stubs.”