FakeWallet Campaign: Crypto-Stealing Apps Infiltrate Apple’s China App Store

April 21, 2026 Faeem BLOGS 0

Overview Security researchers have uncovered a major infiltration of Apple’s App Store in China, where 26 malicious apps impersonated popular cryptocurrency wallets like Metamask, Coinbase, Trust Wallet, and OneKey. The campaign, dubbed FakeWallet and linked to the SparkKitty operation, stole seed phrases and recovery keys to drain victims’ crypto assets.

Key Highlights

  • Scope: 26 malicious apps disguised as games or calculators to bypass restrictions in China.
  • Technique: Typosquatting and fake branding to mimic legitimate wallets.
  • Payload Delivery: Apps redirected users to phishing sites, then sideloaded trojanized wallets via iOS provisioning profiles.
  • Seed Phrase Theft: Mnemonic phrases intercepted during wallet setup/recovery, encrypted with RSA + Base64, and sent to attackers.
  • Cold Wallet Exploitation: Fake verification prompts tricked users into entering seed phrases for Ledger wallets.
  • Impact: Campaign primarily targeted Chinese users but has no geographic restrictions, meaning global expansion is possible.
  • Response: Apple removed all 26 apps after Kaspersky’s disclosure.

Attack Mechanics

  1. App Store Infiltration: Malicious apps published under false categories (games/calculators).
  2. Phishing Redirection: Users sent to fake crypto service portals.
  3. Provisioning Profile Abuse: Legitimate iOS enterprise feature misused to sideload malware.
  4. Seed Phrase Capture: Trojanized apps intercepted recovery phrases during setup.
  5. Wallet Drain: Attackers restored wallets on their own devices, stealing funds irreversibly.

Risks to Users

  • Irreversible Loss: Seed phrases give attackers full wallet control; stolen funds cannot be recovered.
  • Global Threat Potential: Although focused on China, the malware can target users worldwide.
  • App Store Trust Gap: Shows that even official app stores can be infiltrated.

Defensive Guidance

  • Verify Publishers: Always confirm app publishers, even on official stores.
  • Download from Official Links: Use wallet providers’ websites for app downloads.
  • Beware of Provisioning Profiles: Avoid installing profiles unless from trusted enterprise sources.
  • Cold Wallet Hygiene: Never enter seed phrases into apps or prompts; only use official hardware/software.
  • Stay Updated: Follow disclosures from trusted security vendors like Kaspersky.

Final Thought

The FakeWallet campaign highlights how attackers exploit trust in official app stores to steal cryptocurrency. By abusing provisioning profiles and mimicking legitimate wallets, they bypass traditional defenses and target unsuspecting users. For crypto holders, the lesson is clear: seed phrases are sacred — never share them outside official, verified channels.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.