Do Son 
App Store search results for “Ledger Wallet”
A sophisticated new mobile threat is stalking the Apple App Store, preying on cryptocurrency users through a clever mix of deception and technical manipulation. In a detailed report released in March 2026, Kaspersky Labs revealed the discovery of over twenty phishing applications designed to look like popular crypto wallets.
These malicious apps have been “flying under the radar since at least the fall of 2025”.
The campaign has primarily targeted users in China, where many official crypto wallet apps are unavailable due to regional policy restrictions. Attackers have seized this opportunity by launching fake apps using icons that mirror the originals and names with intentional typos—a tactic known as typosquatting—to slip past App Store filters.
To make the deception even more convincing, these phishing apps often feature “stubs”—functional placeholders like games, calculators, or task planners—designed to make the app appear authentic to reviewers and users alike.
Once a user launches one of these placeholder apps, the true attack begins. The report notes:
“Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets”.
By abusing enterprise provisioning profiles, attackers can bypass standard iOS restrictions to install infected versions of major wallets like MetaMask, Coinbase, Trust Wallet, and Ledger. These infected apps are “specifically engineered to hijack recovery phrases and private keys”.
The “FakeWallet” Trojan employs different methods depending on the type of wallet it is targeting:
- Hot Wallets: The malware uses library injection to hijack the RecoveryPhraseViewController. It then “scrapes the mnemonics directly from the corresponding screens, encrypts them, and beams them back to the C2 server”.
- Cold Wallets: Since hardware wallet keys stay offline, attackers resort to “old-school phishing”. They display fake security notifications within the app that prompt users to enter their seed phrase for a “security check”.
The “FakeWallet” campaign demonstrates how attackers are evolving their tactics to bypass the perceived security of the Apple ecosystem. Kaspersky researchers emphasize that the technical restrictions of iOS make it difficult to detect such malicious software directly on a device.
To stay safe, users are advised to only download wallets from official developer websites, avoid installing unknown provisioning profiles, and never enter a seed phrase for a cold wallet into any mobile application. “The same crypto-theft scheme is gaining momentum again,” Kaspersky warns, and vigilance remains the best defense.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
