In a concerning development, a group of 26 malicious applications on the Apple App Store have been identified for impersonating popular cryptocurrency wallets like Metamask, Coinbase, Trust Wallet, and OneKey. These apps have been designed to deceive users into sharing their recovery or seed phrases, leading to the theft of their cryptocurrency assets.
The threat actor behind this operation utilized various tactics such as typosquatting and fake branding to create fake versions of legitimate products in order to entice users in China into downloading them.
Due to the restrictions on such apps in China, the attacker disguised them as games or calculator applications, possibly attempting to circumvent the country’s bans.
Researchers at Kaspersky have linked all 26 fake apps to a single campaign dubbed FakeWallet, associating them with the ongoing SparkKitty operation that has been active since the previous year.
Upon launch, these apps redirect users to phishing websites that mimic legitimate crypto service portals.
These fraudulent sites urge victims to download trojanized wallet apps using iOS provisioning profiles, exploiting a legitimate enterprise feature to inject malware onto their devices. This same technique was observed in the SparkKitty campaign.
The trojanized apps include malicious code that intercepts mnemonic phrases during the wallet setup or recovery process, encrypts them using RSA and Base64, and transmits them to the attacker.
For hardware wallets like Ledger, attackers employ in-app phishing prompts to deceive users into entering their seed phrases via fake security verification screens.
These seed phrases, unique to each wallet owner, are crucial for wallet recovery or porting to new devices and do not require additional verification. This loophole allows threat actors to restore the victim’s wallet on their own devices and drain the funds without the possibility of recovery.
Although primarily targeting Chinese users, the malware associated with this campaign has no geographical limitations, potentially impacting users worldwide if the operators expand their targeting strategy.
Cryptocurrency holders are strongly advised to verify the authenticity of the apps they download, even from official app stores, and to only use links provided on the official websites of the respective services.
Recently, it was discovered that a fraudulent Ledger app infiltrated Apple’s App Store, resulting in the theft of $9.5 million worth of cryptocurrency from 50 macOS users.
Following Kaspersky’s responsible disclosure, Apple has removed all 26 FakeWallet apps from the App Store.
BleepingComputer reached out to Apple for clarification on how the threat actor managed to bypass the company’s App Store verifications, but as of publication time, no response has been received.
Advanced artificial intelligence combined four zero-day vulnerabilities into a single exploit, successfully bypassing both renderer and OS sandboxes. Prepare for a wave of new exploits.
Attend the Autonomous Validation Summit on May 12 & 14 to witness how autonomous, context-rich validation identifies vulnerabilities, validates controls, and closes the remediation loop.
Reserve Your Spot
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
