FakeWallet crypto stealer spreading through iOS apps in the App Store

In March 2026, security researchers identified a campaign distributing the FakeWallet malware through phishing apps on the Apple App Store, specifically targeting Chinese region users. Over twenty malicious apps masquerading as legitimate cryptocurrency wallets (e.g., MetaMask, Ledger, Trust Wallet) were discovered. These apps utilize typosquatting and deceptive promotional banners to redirect users to external sites distributing trojanized wallet versions. The malware abuses enterprise iOS provisioning profiles to bypass App Store restrictions and install malicious modules designed to hijack recovery phrases and private keys. Kaspersky detects this threat as HEUR:Trojan-PSW.IphoneOS.FakeWallet. The campaign has been active since late 2025, posing a critical financial risk to crypto users. Mitigation involves verifying app developers, avoiding external profile installations, and monitoring for unauthorized provisioning profiles on iOS devices. Users should only download wallets from official vendor websites. Apple has removed several identified apps.

In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets.

In March 2026, security researchers identified a campaign distributing the FakeWallet malware through phishing apps on the Apple App Store, specifically targeting Chinese region users. Over twenty malicious apps masquerading as legitimate cryptocurrency wallets (e.g., MetaMask, Ledger, Trust Wallet) were discovered. These apps utilize typosquatting and deceptive promotional banners to redirect users to external sites distributing trojanized wallet versions. The malware abuses enterprise iOS provisioning profiles to bypass App Store restrictions and install malicious modules designed to hijack recovery phrases and private keys. Kaspersky detects this threat as HEUR:Trojan-PSW.IphoneOS.FakeWallet. The campaign has been active since late 2025, posing a critical financial risk to crypto users. Mitigation involves verifying app developers, avoiding external profile installations, and monitoring for unauthorized provisioning profiles on iOS devices. Users should only download wallets from official vendor websites. Apple has removed several identified apps. In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected apps are specifically engineered to hijack recovery phrases and private keys. Metadata from the malware suggests this campaign has been flying under the radar since at least the fall of 2025. We’ve seen this happen before. Back in 2022, ESET researchers spotted compromised crypto wallets distributed through phishing sites. By abusing iOS provisioning profiles to install malware, attackers were able to steal recovery phrases from major hot wallets like Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. Fast forward four years, and the same crypto-theft scheme is gaining momentum again, now featuring new malicious modules, updated injection techniques, and distribution through phishing apps in the App Store. Kaspersky products detect this threat as HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*. Technical details Background This past March, we noticed a wave of phishing apps topping the search results in the Chinese App Store, all disguised as popular crypto wallets. Because of regional restrictions, many official crypto wallet apps are currently unavailable to users in China, specifically if they have their Apple ID set to the Chinese region. Scammers are jumping on this opportunity. They’ve launched fake apps using icons that mirror the originals and names with intentional typos – a tactic known as typosquatting – to slip past App Store filters and increase their chances of deceiving users. App Store search results for “Ledger Wallet” (formerly Ledger Live) In some instances, the app names and icons had absolutely nothing to do with cryptocurrency. However, the promotional banners for these apps claimed that the official wallet was “unavailable in the App Store” and directed users to download it through the app instead. Promotional screenshots from apps posing as the official TokenPocket app During our investigation, we identified 26 phishing apps in the App Store mimicking the following major wallets: MetaMask Ledger Trust Wallet Coinbase TokenPocket imToken Bitpie We’ve reported all of these findings to Apple, and several of the malicious apps have already been pulled from the store. We also identified several similar apps that didn’t have any phishing functionality yet, but showed every sign of being linked to the same threat actors. It’s highly likely that the malicious features were simply waiting to be toggled on in a future update. The phishing apps featured stubs – functional placeholders that mimicked a legitimate service – designed to make the app appear authentic. The stub could be a game, a calculator, or a task planner. However, once you launched the app, it would open a malicious link in your browser. This link kicks off a scheme leveraging provisioning profiles to install infected versions of crypto wallets onto the victim’s device. This technique isn’t exclusive to FakeWallet; other iOS threats, like SparkKitty , use similar methods. These profiles come in a few flavors, one of them being enterprise provisioning profiles. Apple designed these so companies could create and deploy internal apps to employees without going through the App Store or hitting device limits. Enterprise provisioning profiles are a favorite tool for makers of software cracks, cheats, online casinos, pirated mods of popular apps, and malware. An infected wallet and its corresponding profile used for the installation process Malicious modules for hot wallets The attackers have churned out a wide variety of...