Cybersecurity researchers at Kaspersky have uncovered a stealthy campaign involving 26 counterfeit cryptocurrency wallet applications distributed through Apple’s official App Store. These fraudulent programs impersonated some of the most popular digital asset managers, putting users’ holdings at risk of complete theft. The findings, released on April 20, 2026, highlight how even vetted app marketplaces can become vectors for sophisticated crypto exploits.
The operation, which Kaspersky has tracked as active since at least autumn 2025, appears linked with moderate confidence to the operators behind the SparkKitty malware family.
Attackers created clones of well-known wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie.
They replicated official icons and naming conventions to build trust.
The apps were especially prominent for Chinese iOS users—where genuine versions of many of these wallets are unavailable in the local store—but carried no geographic limits, leaving global iPhone owners potentially exposed.At first glance, the fake apps looked harmless.
They included filler features such as basic games, calculators, or to-do lists to mimic legitimate utility software.
Their malicious payload activated only after launch. Users were immediately redirected to phishing sites that perfectly copied the Apple App Store interface.
These pages instructed victims to install what appeared to be an official wallet update by adding an enterprise developer profile to their device.
This sideloading technique, similar to methods used in prior SparkKitty attacks, bypassed standard iOS restrictions and delivered customized trojanized wallet applications.
The trojans targeted both hot and cold wallets with precision. In hot wallets—where private keys remain on internet-connected phones—the malware quietly captured seed phrases entered during wallet creation or recovery.
For cold wallets relying on offline hardware devices, the apps deployed phishing prompts requesting recovery phrases, a request no authentic wallet software ever makes.
With seed phrases in hand, attackers gained irreversible access to funds, enabling full drainage of cryptocurrency assets.
Kaspersky promptly notified Apple, leading to the removal of all 26 apps.
Mobile malware expert Sergey Puzan noted that criminals are willing to pay for developer accounts to target iOS users, signaling that mobile crypto management carries persistent risks.
“Users should treat every unexpected prompt or link with suspicion,” he warned.
To protect themselves, Kaspersky recommends several straightforward defenses. Never follow in-app redirects or install developer profiles unless they come directly from a trusted employer.
Recovery phrases should only be entered on official hardware devices from the wallet manufacturer—legitimate apps never request them over the internet.
Always verify the publisher name against the official website before downloading any crypto tool, and avoid third-party links promising wallet updates.
This campaign underscores a broader trend: cybercriminals are refining social-engineering tactics to exploit the trust users place in official app stores.
As cryptocurrency adoption grows, vigilance clearly remains the most effective safeguard against evolving mobile threats. Kaspersky concluded that users managing significant digital assets are urged to double-check every installation and treat seed phrases as the ultimate keys to their financial security.