Back

FakeWallet Phishing Apps Target iOS Users in App Store

Severity: High (Score: 67.5)

Sources: Securelist

Summary

In March 2026, over twenty phishing apps were discovered in the Apple App Store, posing as popular cryptocurrency wallets. These malicious apps redirect users to fraudulent browser pages that mimic the App Store, distributing trojanized versions of legitimate wallets designed to hijack recovery phrases and private keys. The campaign has been active since at least fall 2025, exploiting regional restrictions in China where many official wallet apps are unavailable. Attackers utilize typosquatting tactics, creating fake apps with similar names and icons to deceive users. Kaspersky identifies the threat as HEUR:Trojan-PSW.IphoneOS.FakeWallet.*. The investigation revealed 26 phishing apps targeting major wallets like Metamask and Coinbase, with some apps showing signs of future malicious functionality. Apple has been notified, and several of the malicious apps have been removed from the store. Key Points: • Over twenty phishing apps in the App Store masquerade as crypto wallets. • Attackers use typosquatting and fake promotional banners to deceive users. • The campaign has been active since at least fall 2025, with 26 identified phishing apps.

Key Entities

  • Data Breach (attack_type)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Trojan (attack_type)
  • Apple (company)
  • Bitpie (company)
  • Coinbase (company)
  • ImToken (company)
  • Ledger (company)
  • Ledger Live (platform)
  • MetaMask (platform)
  • Trust Wallet (platform)
  • Android (platform)
  • Apple App Store (platform)
  • China (country)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-94 - Code Injection (cwe)
  • FakeWallet (malware)
  • SparkKitty (malware)
  • 0565364633b5acdd24a498a6a9ab4eca (md5)
  • 114721fbc23ff9d188535bd736a0d30e (md5)
  • 19733e0dfa804e3676f97eff90f2e467 (md5)
  • 31d25ddf2697b9e13ee883fff328b22f (md5)
  • 4126348d783393dd85ede3468e48405d (md5)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1566.002 - Spearphishing Link (mitre_attack)
  • React Native (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed