FakeWallet Malware: How Phony iOS Apps Are Stealing Crypto Recovery Phrases

<h2>Introduction: A Growing Threat in the iOS Ecosystem</h2> <p>In early 2026, cybersecurity researchers uncovered a sophisticated campaign targeting cryptocurrency users through the Apple App Store. Over twenty malicious applications were discovered masquerading as well-known crypto wallet apps. Once installed, these apps redirect users to deceptive browser pages that closely mimic the App Store interface, distributing trojanized versions of legitimate wallet software. The primary goal of this malware is to steal recovery phrases and private keys, granting attackers full control over victims' digital assets. Evidence from the malware's metadata suggests this operation has been active since at least the autumn of 2025, operating stealthily under the radar.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/20105354/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-scaled.jpg" alt="FakeWallet Malware: How Phony iOS Apps Are Stealing Crypto Recovery Phrases" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure> <h2>Historical Context and Evolution</h2> <p>This is not an entirely new phenomenon. In 2022, ESET researchers identified compromised crypto wallets distributed through phishing websites. Those attacks exploited iOS provisioning profiles to install malware, successfully stealing recovery phrases from major hot wallets such as MetaMask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. Now, four years later, the same criminal strategy is resurgent with enhanced capabilities. The latest variant includes new malicious modules, improved injection techniques, and a more sophisticated distribution method—using fake apps hosted directly on the App Store.</p> <h2>Technical Details of the FakeWallet Campaign</h2> <h3>Discovery and Initial Findings</h3> <p>In March 2026, security analysts observed a wave of phishing apps dominating search results in the Chinese App Store. These apps were disguised as popular cryptocurrency wallets. Due to regional restrictions, users with Apple IDs set to the Chinese region cannot access many official crypto wallet apps directly. Cybercriminals are exploiting this gap by creating fake apps that use icons identical to the originals and names with intentional typos—a technique known as typosquatting—to bypass App Store filters and deceive unsuspecting users.</p> <h3>Deceptive Design and Functionality</h3> <p>Some of these phishing apps featured names and icons completely unrelated to cryptocurrency. However, their promotional banners falsely claimed that the official wallet was <strong>"unavailable in the App Store"</strong> and directed users to download it through the app instead. This bait-and-switch tactic lures victims into a false sense of security.</p> <p>During the investigation, researchers identified <strong>26 phishing apps</strong> imitating the following major wallets:</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/20105354/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-800x450.jpg" alt="FakeWallet Malware: How Phony iOS Apps Are Stealing Crypto Recovery Phrases" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure> <ul> <li>MetaMask</li> <li>Ledger</li> <li>Trust Wallet</li> <li>Coinbase</li> <li>TokenPocket</li> <li>imToken</li> <li>Bitpie</li> </ul> <p>All findings were promptly reported to Apple, and several of the malicious apps have already been removed from the store. Additionally, a number of similar apps were discovered that did not yet exhibit phishing functionality but showed strong links to the same threat actors. It is highly probable that their malicious features are merely deactivated and could be enabled in a future update.</p> <h3>The Role of Stub Applications</h3> <p>To further mask their true purpose, the phishing apps incorporated stubs—functional placeholders that mimic a legitimate service. These stubs could take the form of a simple game, a calculator, or a task planner. This design makes the app appear authentic upon first launch, reducing suspicion and increasing the likelihood that users will continue engaging with it long enough for the malware to execute its payload.</p> <h2>Detection and Protection</h2> <p>Kaspersky products detect this threat under the names <strong>HEUR:Trojan-PSW.IphoneOS.FakeWallet.*</strong> and <strong>HEUR:Trojan.IphoneOS.FakeWallet.*</strong>. Users are advised to only download crypto wallet apps from official developer websites or verified sources, and to carefully check app names for typos or unusual icons. Enabling two-factor authentication and using hardware wallets for large holdings can provide additional layers of security against such phishing attempts.</p> <h2>Conclusion</h2> <p>The resurgence of the FakeWallet campaign demonstrates that cybercriminals are continuously refining their methods to exploit the trust users place in official app stores. As the crypto ecosystem grows, so does the ingenuity of attackers. Staying informed and vigilant is the best defense against these evolving threats.</p>