Executive Summary
In April 2026, the cybersecurity landscape was shaken by the discovery of 26 malicious FakeWallet applications on the Apple App Store, as reported by Kaspersky and corroborated by multiple cybersecurity news outlets. These apps, meticulously crafted to impersonate legitimate cryptocurrency wallets such as MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie, were primarily targeting users in China but were accessible globally. The primary objective of these apps was to harvest wallet recovery seed phrases and private keys, thereby enabling attackers to exfiltrate and drain victims’ cryptocurrency assets. The campaign, which has been active since at least the fall of 2025, is attributed with moderate confidence to the SparkKitty threat actor group, known for its sophisticated mobile phishing and credential theft operations. This incident underscores the evolving threat landscape, where even the most trusted app distribution platforms can be leveraged for large-scale credential theft and financial fraud.
Technical Information
The FakeWallet campaign demonstrates a multi-stage attack chain, leveraging both social engineering and technical subversion of the iOS ecosystem.
The initial vector involved the direct distribution of malicious apps via the Apple App Store, with a focus on users whose Apple accounts were set to the Chinese region. The threat actors cloned the branding, icons, and user interface of legitimate wallet applications, introducing only subtle typographical errors in app names such as "LeddgerNew", "TrustWalet", and "Coinbsae" to evade cursory scrutiny while maintaining plausible legitimacy.
Upon installation, these apps exhibited deceptive behaviors. Some masqueraded as benign utilities—such as games, calculators, or to-do lists—but upon execution, redirected users to phishing pages. Others acted as placeholders, instructing users to download the "official" wallet app via a browser, often citing regulatory restrictions as a pretext. This redirection was a critical step, as it facilitated the delivery of trojanized wallet applications outside the confines of the App Store’s security controls.
A pivotal technique employed by the attackers was the abuse of iOS enterprise provisioning profiles. By tricking users into installing a developer profile, the attackers circumvented Apple’s standard app vetting process, enabling the installation of malicious apps directly onto the device. This method is particularly insidious, as it leverages a legitimate feature intended for enterprise app distribution, repurposed here for malicious ends.
Once the trojanized wallet app was installed, it targeted both hot and cold wallets. For hot wallets, the malware hooked into the wallet recovery or creation screens, capturing seed phrases and private keys as users entered them. For cold wallets, phishing pages or fake prompts solicited the seed phrase—a request that legitimate cold wallet apps would never make. Some variants of the malware incorporated Optical Character Recognition (OCR) modules, enabling the capture of recovery phrases even if they were displayed as images rather than text.
Exfiltration of stolen credentials was achieved via encrypted communication with attacker-controlled servers. The malware transmitted the harvested seed phrases and private keys, granting the attackers full access to the victims’ cryptocurrency holdings. The infrastructure supporting this campaign included a network of malicious download links and command-and-control (C2) servers, many of which were obfuscated using domain generation algorithms and fast-flux hosting.
The technical sophistication of this campaign is further evidenced by the use of MITRE ATT&CK techniques such as T1056.001 (Input Capture – Keylogging/Screen Capture), T1566.002 (Phishing – Spearphishing via Service), T1071.001 (Application Layer Protocol – Web Protocols), and T1204.002 (User Execution – Malicious File). The attackers’ ability to blend social engineering with technical exploitation of iOS provisioning mechanisms represents a significant escalation in the threat model for mobile cryptocurrency users.
Exploitation in the Wild
The FakeWallet campaign primarily targeted Chinese iOS users, exploiting the regional limitations of the Apple App Store that often restrict access to official wallet apps. However, the malicious apps were not geo-fenced and could be downloaded by users worldwide, resulting in a broader victimology than initially anticipated.
Victims reported complete theft of cryptocurrency assets from compromised wallets, with attackers moving swiftly to exfiltrate funds once seed phrases were obtained. The campaign did not extend to the Google Play Store, indicating a focused exploitation of the iOS ecosystem.
Detection and response efforts were initiated following public disclosure by Kaspersky and other security researchers. Apple responded by removing many of the identified malicious apps from the App Store. However, the campaign’s reliance on enterprise provisioning profiles means that the threat persists beyond the removal of the apps themselves, as users who have already installed malicious profiles remain vulnerable to further exploitation.
The incident has prompted renewed scrutiny of app store vetting processes and the security implications of enterprise provisioning on consumer devices. It also highlights the importance of user education, as many victims were deceived by the superficial legitimacy of the fake apps and the plausible pretexts provided for installing additional profiles or entering sensitive credentials.
APT Groups using this vulnerability
Attribution for the FakeWallet campaign has been assigned with moderate confidence to the SparkKitty threat actor group. SparkKitty is known for its focus on cryptocurrency theft, particularly targeting mobile platforms through the abuse of enterprise provisioning profiles and advanced phishing tactics.
Key indicators supporting this attribution include the use of OCR modules for credential theft, the presence of Chinese language artifacts in the malware code and infrastructure, and a historical pattern of targeting cryptocurrency users in regions with restricted access to official wallet applications. SparkKitty has previously orchestrated similar campaigns, leveraging both technical exploits and social engineering to achieve their objectives.
No other advanced persistent threat (APT) groups have been publicly linked to this specific campaign as of the time of reporting. However, the techniques employed are consistent with broader trends observed in financially motivated cybercrime targeting the cryptocurrency sector.
Affected Product Versions
The following legitimate wallet brands were impersonated by the 26 fake apps: MetaMask, Ledger (Ledger Live), Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. Known fake app names include "LeddgerNew", "TrustWalet", "Coinbsae", "imTokenPlus", "BitpiePro", and "TokenPocketX". All versions of these fake apps published to the Apple App Store between Fall 2025 and April 2026 are considered malicious and affected.
The Securelist/Kaspersky report confirms 26 unique fake apps, but does not publish the full list of all app names and versions. The above are confirmed examples. Users who installed any wallet app with suspicious naming, publisher information, or requests for developer profile installation during this period should consider their devices compromised.
Workaround and Mitigation
For end users, it is critical to never install developer or enterprise provisioning profiles unless they are provided by a trusted employer or a verified source. Wallet recovery phrases should only be entered on official wallet hardware or apps, and never in response to prompts from third-party apps or browser pages. Users should always verify app publishers and download links via official wallet websites, even when using the Apple App Store. Any app with minor typos in names or icons, or those requesting installation of additional profiles, should be treated as suspicious.
For organizations, monitoring for the installation of unauthorized developer profiles on managed devices is essential. Security awareness training should emphasize the risks of phishing and fake wallet apps, particularly in regions where access to official apps is restricted. Mobile device management (MDM) solutions should be configured to block the installation of unapproved profiles and to alert administrators to anomalous app installation behaviors.
If compromise is suspected, users should immediately remove any suspicious apps and developer profiles, reset their device, and transfer assets to a new wallet with a freshly generated seed phrase. Incident response teams should collect forensic artifacts, including app hashes and network traffic logs, to support further investigation and reporting.
References
Kaspersky Securelist: FakeWallet crypto stealer spreading through iOS apps in the App Store (April 2026), Kaspersky Press Release, The Hacker News Coverage, Reddit InfoSec News Thread, SecurityWeek Article, Cryptopotato Coverage, MITRE ATT&CK TTPs
Rescana is here for you
At Rescana, we understand that the evolving threat landscape demands proactive and comprehensive risk management. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their digital ecosystem. While this advisory focuses on the FakeWallet campaign, our platform is designed to help you identify and respond to emerging threats, ensuring the resilience of your business operations. If you have any questions or require further assistance, our team is ready to support you at ops@rescana.com.
