Back

FakeWallet Crypto Stealer Targets iOS Users via Phishing Apps

Severity: High (Score: 71.0)

Sources: Securelist, Kaspersky

Summary

In March 2026, Kaspersky identified over twenty phishing applications in the Apple App Store that impersonate popular cryptocurrency wallets. These malicious apps redirect users to fraudulent web pages that mimic the App Store and distribute trojanized versions of legitimate wallets, specifically designed to steal recovery phrases and private keys. The campaign has been active since at least fall 2025 and primarily affects users in China, where official crypto wallet apps are often unavailable. The attackers employ typosquatting techniques to bypass App Store filters, using similar icons and names to deceive users. Kaspersky has reported these findings to Apple, resulting in the removal of several malicious apps. The phishing apps contain stubs that appear legitimate but ultimately lead to malicious links. Victims who install these apps may unknowingly grant permissions that allow for the installation of further malicious software. Key Points: • Over 20 phishing apps impersonating crypto wallets identified in the App Store. • Malicious apps primarily target users in China due to regional restrictions. • Attackers use typosquatting and stubs to deceive users into installing malware.

Key Entities

  • SparkKitty (malware)
  • FakeWallet (malware)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Trojan (attack_type)
  • Apple (company)
  • Bitpie (company)
  • Coinbase (company)
  • ImToken (company)
  • Ledger (company)
  • Ledger Live (platform)
  • MetaMask (platform)
  • Trust Wallet (platform)
  • Android (platform)
  • Apple App Store (platform)
  • China (country)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-94 - Code Injection (cwe)
  • securelist.com (domain)
  • 0565364633b5acdd24a498a6a9ab4eca (md5)
  • 114721fbc23ff9d188535bd736a0d30e (md5)
  • 19733e0dfa804e3676f97eff90f2e467 (md5)
  • 31d25ddf2697b9e13ee883fff328b22f (md5)
  • 4126348d783393dd85ede3468e48405d (md5)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1566.002 - Spearphishing Link (mitre_attack)
  • React Native (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed