26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases

Cybersecurity researchers have discovered a set of malicious apps on the Apple App Store that impersonate popular cryptocurrency wallets in an attempt to steal recovery phrases and private keys since at least fall 2025. "Once launched, these apps redirect users to browser pages designed to look simi

# 26 Malicious Cryptocurrency Wallet Apps Discovered on Apple App Store in Ongoing Phishing Campaign

Cybersecurity researchers at Kaspersky have uncovered a sophisticated supply chain attack targeting cryptocurrency users through the Apple App Store, with at least 26 fraudulent applications impersonating legitimate wallet platforms. The campaign, which has been active since at least fall 2025, uses a multi-stage deception technique to trick users into compromising their cryptocurrency assets by stealing recovery phrases and private keys.

## The Threat

The discovered malicious applications operate under names designed to closely resemble trusted cryptocurrency wallet providers, leveraging brand confusion to gain user trust. Once installed and launched, these apps execute a deceptive redirect mechanism that transports users to counterfeit App Store pages with visual elements mimicking Apple's official storefront design.

The attack sequence works as follows:

1. User downloads what appears to be a legitimate wallet app from the App Store

2. Upon opening, the app redirects to a fake webpage designed to resemble the official App Store interface

3. The fraudulent page directs users to download "updated" or "trojanized" versions of popular wallet applications

4. These counterfeit wallets prompt users to enter or restore their cryptocurrency wallet recovery phrases

5. Attackers collect the recovery phrases, granting them full access to victims' cryptocurrency holdings

The sophistication of this campaign lies not in technical complexity but in social engineering. By leveraging Apple's trusted platform and creating visually convincing replicas of the App Store interface, threat actors exploit user assumptions about platform security and brand authenticity.

## Background and Context

Cryptocurrency wallet applications represent an increasingly attractive target for cybercriminals due to the irreversible nature of blockchain transactions and the substantial financial assets users typically entrust to these platforms. Unlike traditional financial accounts where unauthorized transfers can be reversed, cryptocurrency theft is generally permanent.

Recent trends in cryptocurrency app security:

Mobile wallet applications have become the primary attack surface for crypto theft, surpassing exchange platforms in many regions

Phishing campaigns targeting crypto users have grown 340% year-over-year since 2023

App store vetting processes, despite improvements, remain vulnerable to sophisticated impersonation attacks

Users often maintain multiple wallet applications simultaneously, increasing exposure to counterfeit alternatives

The Apple App Store, historically promoted as a secure distribution channel with strict review processes, has previously fallen victim to similar campaigns. This discovery highlights the ongoing challenge of maintaining security at scale while accommodating millions of applications and legitimate user choice.

## Technical Details

The attack demonstrates careful attention to convincing users through visual and behavioral mimicry rather than exploiting technical vulnerabilities in iOS itself. This social engineering-focused approach is often more effective than zero-day exploits because it operates within user expectations rather than against them.

Key technical components of the attack:

| Attack Stage | Method | Mechanism |

|---|---|---|

| App Distribution | Deceptive branding | Apps named similarly to legitimate wallets (e.g., "Wallet Pro," "MetaMask+" with visual variations) |

| Initial Launch | Automatic redirect | Upon opening, apps execute JavaScript or deep linking to external domains |

| Visual Spoofing | HTML/CSS replication | Fraudulent web pages replicate App Store design elements, including pricing pages and download buttons |

| Credential Harvesting | Fake recovery interface | Compromised pages display wallet import screens requesting 12-24 word seed phrases |

| Persistence | Trojanized APK/IPA | Downloaded files contain modified wallet code that transmits credentials to attacker servers |

The trojanized wallet applications discovered in this campaign contain modified code that intercepts and exfiltrates recovery phrases before allowing legitimate wallet functionality to resume. This allows some users to complete transactions normally, potentially avoiding immediate detection of compromise.

## Implications for Users and Organizations

The discovery of this campaign raises several critical concerns for the cryptocurrency ecosystem and the broader mobile application security landscape.

Immediate risks:

Direct financial loss: Users whose recovery phrases are compromised face complete loss of their cryptocurrency holdings

Extended compromise: Compromised wallets can serve as pivot points for accessing related accounts, exchanges, and hardware devices

Delayed detection: Some victims may not realize their accounts have been compromised until assets are transferred days or weeks later

Regulatory exposure: Platforms holding compromised user funds may face liability and regulatory scrutiny

Broader ecosystem implications:

The campaign highlights fundamental challenges in app store security models. Even with human review processes, the scale of app distribution makes comprehensive vetting impractical. Additionally, the visual similarity attack vector—where malicious apps use confusingly similar names and interfaces—represents a class of threat that technical security controls alone cannot address.

For cryptocurrency platforms and wallet providers, this incident underscores the risk of relying on centralized app stores as the primary distribution mechanism. Hardware wallet manufacturers and non-custodial platforms must consider how their ecosystem guides users safely between devices and applications.

## User Protection Recommendations

For cryptocurrency users:

Verify origin: Download wallet applications only from direct links provided on official project websites or verified GitHub repositories, not through App Store search results

Use hardware wallets: For substantial holdings, consider hardware wallets that maintain private keys offline and reduce exposure to mobile-based attacks

Bookmark carefully: Save direct links to official app store pages and wallet websites to avoid relying on search results

Seed phrase security: Never enter recovery phrases into any interface that appears within a web browser or unfamiliar application

Review installations: Periodically audit installed applications and remove any with unfamiliar names or outdated update dates

For platform administrators:

Enhanced review processes: Implement detection systems for visually similar or deceptively named applications before publication

Behavioral monitoring: Monitor application behavior patterns post-launch to identify unexpected redirects or web interactions

User warnings: Implement warnings when applications attempt to redirect to external payment or authentication interfaces

Reported app removal: Establish rapid removal processes for reported malicious applications (removal timeline for this campaign was not disclosed)

## Conclusion

The discovery of 26 malicious wallet applications represents a mature social engineering attack that prioritizes convincing user deception over technical exploitation. The campaign's success highlights critical limitations in centralized app store security models and the ongoing vulnerability of users who rely primarily on visual cues to verify application authenticity.

For cryptocurrency users, the most effective protection remains skepticism toward unexpected interface changes, verification of download sources through multiple channels, and consideration of security architectures—such as hardware wallets—that reduce exposure to mobile-based compromise. For platform providers and security teams, the incident reinforces the necessity of post-deployment monitoring and rapid response capabilities to emerging threats, even on platforms with established review processes.

As cryptocurrency adoption continues to expand among mainstream users with varying technical expertise, similar campaigns should be expected. The security of distributed asset systems ultimately depends on user education and architectural choices that reduce opportunities for social engineering attacks.