FakeWallet crypto stealer spreading through iOS apps in the App Store

In March 2026, security researchers identified a significant campaign involving over twenty phishing applications distributed via the Apple App Store, targeting cryptocurrency users. Dubbed FakeWallet, this malware masquerades as legitimate crypto wallet applications, such as MetaMask and Ledger, specifically targeting users in regions with restrictions like China. Upon execution, the apps redirect victims to malicious sites utilizing iOS enterprise provisioning profiles to install trojanized wallet versions. This technique allows attackers to hijack recovery phrases and private keys, facilitating direct financial theft. While some apps were removed following reports to Apple, others remain dormant with malicious features toggled via updates. Users are advised to verify app developers strictly, avoid sideloading via profiles, and monitor App Store listings for typosquatting attempts. This campaign highlights the evolving risk of supply chain compromises within official mobile repositories.

In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets.

In March 2026, security researchers identified a significant campaign involving over twenty phishing applications distributed via the Apple App Store, targeting cryptocurrency users. Dubbed FakeWallet, this malware masquerades as legitimate crypto wallet applications, such as MetaMask and Ledger, specifically targeting users in regions with restrictions like China. Upon execution, the apps redirect victims to malicious sites utilizing iOS enterprise provisioning profiles to install trojanized wallet versions. This technique allows attackers to hijack recovery phrases and private keys, facilitating direct financial theft. While some apps were removed following reports to Apple, others remain dormant with malicious features toggled via updates. Users are advised to verify app developers strictly, avoid sideloading via profiles, and monitor App Store listings for typosquatting attempts. This campaign highlights the evolving risk of supply chain compromises within official mobile repositories. In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected apps are specifically engineered to hijack recovery phrases and private keys. Metadata from the malware suggests this campaign has been flying under the radar since at least the fall of 2025. We’ve seen this happen before. Back in 2022, ESET researchers spotted compromised crypto wallets distributed through phishing sites. By abusing iOS provisioning profiles to install malware, attackers were able to steal recovery phrases from major hot wallets like Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. Fast forward four years, and the same crypto-theft scheme is gaining momentum again, now featuring new malicious modules, updated injection techniques, and distribution through phishing apps in the App Store. Kaspersky products detect this threat as HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*. Technical details Background This past March, we noticed a wave of phishing apps topping the search results in the Chinese App Store, all disguised as popular crypto wallets. Because of regional restrictions, many official crypto wallet apps are currently unavailable to users in China, specifically if they have their Apple ID set to the Chinese region. Scammers are jumping on this opportunity. They’ve launched fake apps using icons that mirror the originals and names with intentional typos – a tactic known as typosquatting – to slip past App Store filters and increase their chances of deceiving users. App Store search results for “Ledger Wallet” (formerly Ledger Live) In some instances, the app names and icons had absolutely nothing to do with cryptocurrency. However, the promotional banners for these apps claimed that the official wallet was “unavailable in the App Store” and directed users to download it through the app instead. Promotional screenshots from apps posing as the official TokenPocket app During our investigation, we identified 26 phishing apps in the App Store mimicking the following major wallets: MetaMask Ledger Trust Wallet Coinbase TokenPocket imToken Bitpie We’ve reported all of these findings to Apple, and several of the malicious apps have already been pulled from the store. We also identified several similar apps that didn’t have any phishing functionality yet, but showed every sign of being linked to the same threat actors. It’s highly likely that the malicious features were simply waiting to be toggled on in a future update. The phishing apps featured stubs – functional placeholders that mimicked a legitimate service – designed to make the app appear authentic. The stub could be a game, a calculator, or a task planner. However, once you launched the app, it would open a malicious link in your browser. This link kicks off a scheme leveraging provisioning profiles to install infected versions of crypto wallets onto the victim’s device. This technique isn’t exclusive to FakeWallet; other iOS threats, like SparkKitty , use similar methods. These profiles come in a few flavors, one of them being enterprise provisioning profiles. Apple designed these so companies could create and deploy internal apps to employees without going through the App Store or hitting device limits. Enterprise provisioning profiles are a favorite tool for makers of software cracks, cheats, online casinos, pirated mods of popular apps, and malware. An infected wallet and its corresponding profile used for the installation process The attackers have churned out a wide variety of malicious modules, each tailored to a specific wallet. In most cases, the malware is delivered via a...