Bright Nexus

Published on April 25, 2026

26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases

Severity
Medium

Detail

Cybersecurity researchers have identified a large-scale campaign involving 26 malicious applications, collectively named FakeWallet, distributed through the Apple App Store. These apps impersonate well-known cryptocurrency wallets to steal sensitive data such as recovery phrases and private keys.

The campaign, uncovered by Kaspersky, has been active since at least late 2025 and primarily targets users whose Apple accounts are set to China. The fake apps mimic popular wallets like Coinbase, MetaMask, Ledger, and Trust Wallet. Many of these apps have since been removed following disclosure.

These malicious apps use deceptive tactics such as slightly altered names (e.g., typos like “LeddgerNew”) and misleading icons to trick users into installing them. In some cases, the apps appear unrelated to cryptocurrency (e.g., games or utilities) but redirect users to phishing pages or prompt installation of trojanized wallet versions.

Once installed, the apps aim to capture users’ mnemonic seed phrases either by intercepting input during wallet setup or displaying fake verification pages requesting sensitive information. The stolen data is then exfiltrated to attacker-controlled servers, allowing full control over victims’ crypto wallets and enabling fund theft.

Some variants also include advanced features such as optical character recognition (OCR) to extract seed phrases from screenshots or images, indicating a high level of sophistication. Researchers suspect links to earlier campaigns like SparkKitty due to similarities in techniques and targeting patterns.

How?

The attack chain involves multiple deceptive and technical steps:

  • Malicious apps are published on the Apple App Store, targeting specific regions (e.g., China)
  • Apps impersonate legitimate wallets or disguise themselves as unrelated tools
  • Users are redirected to phishing pages or prompted to install trojanized wallet apps
  • Malicious code captures recovery phrases via input interception or fake verification prompts
  • In some cases, OCR is used to extract seed phrases from images or screenshots
  • Stolen data is transmitted to attacker-controlled servers
  • Attackers use the recovered credentials to access wallets and steal funds

Recommendation & Conclusion

This campaign highlights the growing risk of supply chain and app store-based attacks, even within trusted platforms like the Apple App Store. By targeting recovery phrases, attackers can bypass traditional security controls and gain full control over cryptocurrency assets. Users and organizations should:

  • Download apps only from verified developers and carefully check app names and reviews
  • Never share or enter recovery phrases outside official wallet applications
  • Avoid installing apps that redirect to external download pages
  • Enable additional wallet security features such as hardware wallets and multi-factor authentication
  • Monitor cryptocurrency accounts for suspicious transactions

Source

https://thehackernews.com/2026/04/26-fakewallet-apps-found-on-apple-app.html