Researchers find 26 fake crypto wallet apps on Apple App Store stealing seed phrases

Cybersecurity researchers have discovered a set of malicious apps on the Apple App Store that impersonate popular cryptocurrency wallets in an attempt to steal recovery phrases and private keys since at least fall 2025. "Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distribute trojanized versions of legitimate wallets," Kaspersky researcher Sergey Puzan said. "The infected apps are specifically engineered to hijack recovery phrases and private keys." The 26 apps, collectively dubbed FakeWallet, mimic various popular wallets like Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet. Many of these apps have since been taken down The apps are directly available for download from Apple's App Store if a user has their Apple account set to China. These apps have icons that mirror the original but have intentional typos in their names so as to trick unsuspecting users into downloading them. In some cases, the app names and icons have no connection to cryptocurrency. Instead, they are used as placeholders to direct users to download the official wallet app through them, claiming they are "unavailable in the App Store" due to regulatory reasons. Kaspersky said it also identified several similar apps likely linked to the same threat actor that do not have the malicious features enabled, but have been found to mimic a benign service, such as a game, a calculator, or a task planner. Once launched, these apps open a link on the web browser and leverage enterprise provisioning profiles to install the wallet app on the victim's device. The end goal of these infections is to look for mnemonic phrases from both hot and cold wallets, and exfiltrate them to an external server, allowing the operators to seize control of victims' wallets and drain cryptocurrency assets or initiate fraudulent transactions.