Cybersecurity researchers have discovered a series of malicious apps in the Apple App Store that impersonate popular cryptocurrency wallets and attempt to steal recovery phrases and private keys since at least the fall of 2025.
“When launched, these apps redirect users to a browser page that resembles the App Store and distribute Trojanized versions of legitimate wallets,” Kaspersky researcher Sergey Puzan said. “The infected app is specifically designed to hijack your recovery phrase and private key.”
The 26 apps, collectively referred to as “FakeWallets,” mimic a variety of popular wallets, including Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet. Many of these apps were removed by Apple following the disclosure. There is no evidence that these apps were distributed via the Google Play Store.
In the past, malicious cryptocurrency wallets distributed via fake websites exploited iOS provisioning profiles to trick users into installing them, but the latest cryptocurrency theft schemes are improved in several ways. First, if users have their Apple accounts set up in China, apps can be downloaded directly from Apple’s App Store.
These apps have icons that reflect the original, but contain intentional typos in their names (e.g. LedgeNew) to trick unsuspecting users into downloading them. In some cases, an app’s name or icon may have nothing to do with cryptocurrency. Instead, these are used as placeholders to direct users to download the official wallet app, claiming that it is “not available on the App Store” for regulatory reasons.
Kaspersky said it also identified several similar apps likely related to the same threat actor. These apps have been found to mimic benign services such as games, calculators, and task planners, without any malicious functionality enabled. Once launched, these apps open a link on a web browser and utilize an enterprise provisioning profile to install a wallet app on the victim’s device.
“The attackers created a large number of different malicious modules, each tailored to a specific wallet,” Puzan said. “Malware is most often delivered through malicious library injection, but we have also discovered builds in which the original source code of the app has been modified.”
The ultimate goal of these infections is to look for mnemonic phrases from both hot and cold wallets and exfiltrate them to external servers, allowing operators to take control of victims’ wallets and exfiltrate cryptocurrency assets or initiate fraudulent transactions.
The seed phrase is captured by hooking the code responsible for the screen where the user enters the recovery phrase, or by providing a phishing page that instructs the victim to enter the mnemonic as part of a supposed verification step.
We suspect that this campaign may be the work of threat actors associated with last year’s SparkKitty Trojan campaign, given that some of the infected apps also include a module that uses optical character recognition (OCR) to steal wallet recovery phrases, and that both campaigns appear to be the work of native Chinese speakers and specifically target cryptocurrency assets.
“FakeWallet campaigns are gaining momentum by employing new tactics, from delivering payloads via phishing apps published on the App Store, to embedding them in cold wallet apps, and using sophisticated phishing notifications to trick users into revealing mnemonics,” Kaspersky said.
Introducing the MiningDropper Android Malware Framework
The discovery comes as Cyble sheds light on a sophisticated Android malware delivery framework known as MiningDropper (also known as BeatBanker) that combines cryptocurrency mining with information theft, remote access, and banking malware in attacks targeting users in India as well as Latin America, Europe, and Asia as part of the BTMOB RAT campaign.
MiningDropper is distributed via a trojanized version of the open source Android application project Lumolight, and the campaign uses fake websites impersonating banking institutions and local transportation authorities to spread the malware. Once launched, it activates a multi-step sequence to extract the miner and Trojan payload from the encrypted asset archive present within the package.
“MiningDropper employs a multi-stage payload delivery architecture that combines XOR-based native obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques,” Cyble said. “MiningDropper employs a multi-stage payload delivery architecture that combines XOR-based native obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques.”
“MiningDropper demonstrates a layered, modular Android malware architecture designed to make static analysis difficult while giving threat actors flexibility in final payload delivery. This design allows threat actors to reuse the same distribution and installation framework across hundreds of samples while tailoring their ultimate monetization objectives to their operational needs.”
Source link
