Inside FakeWallet: How iOS Phishing Apps Stole Crypto Keys via the App Store

In March 2026, security researchers uncovered a prolific wave of phishing apps on the Apple App Store that posed as trusted cryptocurrency wallets. These apps were not just simple scams—they executed a sophisticated scheme to steal users' recovery phrases and private keys by redirecting them to fake browser pages. The campaign, active since at least fall 2025, targeted users in regions like China where official crypto wallet apps are restricted. Below, we answer the most pressing questions about this threat.

What is the FakeWallet malware and how does it steal crypto?

FakeWallet is a family of trojanized apps designed to hijack cryptocurrency holdings. When a user launches one of these phishing apps, it immediately redirects them to a browser page that mimics the App Store interface. This fake page then prompts the user to download a trojanized version of a legitimate wallet app, such as MetaMask or Trust Wallet. Once installed, the malicious software is engineered to intercept and exfiltrate recovery phrases and private keys. Kaspersky detects this threat under the signatures HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*. The stolen credentials allow attackers to drain wallets remotely, making it a severe threat for crypto users.

How did attackers get these fake apps into the Apple App Store?

Attackers exploited several loopholes to bypass Apple’s review process. First, they used typosquatting—intentionally misspelling app names (e.g., “Ledger Wallt” instead of “Ledger Wallet”) and copying official icons to appear legitimate. In some cases, the app name and icon had nothing to do with crypto; instead, promotional banners inside the app claimed the real wallet was “unavailable in the App Store” and directed users to download via the app. Additionally, the phishing apps often included a functional stub—like a game or calculator—to make them seem harmless during review. The malicious features were either hidden or toggled on after approval, allowing the apps to slip through Apple’s filters for months.

Why were Chinese iOS users particularly at risk?

Due to regional restrictions, many official cryptocurrency wallet apps (e.g., MetaMask, Coinbase) are not available in the Chinese App Store when the Apple ID is set to the China region. Scammers exploited this gap by targeting search results in the Chinese store with their phishing apps. When users searched for popular wallets, the fake apps appeared at the top, often with names and icons that closely mimicked the originals. With no easy access to genuine wallets, Chinese users were especially vulnerable to deception. This strategic targeting allowed the campaign to thrive undetected from fall 2025 until its discovery in March 2026.

Which cryptocurrency wallets were impersonated?

Researchers identified 26 phishing apps that impersonated seven major wallets:

• MetaMask
• Ledger (formerly Ledger Live)
• Trust Wallet
• Coinbase
• TokenPocket
• imToken
• Bitpie

Some of these fake apps had no obvious crypto-related name or icon but used promotional screenshots to claim the official app was unavailable. The attackers also created several additional apps that did not yet contain phishing code but showed strong links to the same threat group—likely waiting for a future update to activate malicious features. All findings were reported to Apple, and many of the apps have since been removed.

How does this threat compare to earlier schemes like the 2022 ESET discovery?

This is not a new attack vector. In 2022, ESET researchers found compromised crypto wallets distributed through phishing sites that abused iOS provisioning profiles to install malware and steal recovery phrases from wallets like Metamask, Coinbase, and Trust Wallet. The 2026 version is a major evolution: it now uses new malicious modules, updated injection techniques, and distributes malware directly through App Store phishing apps rather than external websites. The attackers have also improved their social engineering—using typosquatting and stubs (e.g., a calculator) to evade detection. The scale is larger, with over 20 apps identified, and the campaign has been active for months before discovery.

What steps can users take to protect themselves from FakeWallet?

To avoid falling victim to such phishing attacks, consider the following precautions:

1. Download only from official developer accounts—verify the developer name matches the official wallet’s website.
2. Check for typos in app names and descriptions; typosquatting is a common red flag.
3. Never enter recovery phrases into any app or website that requests them, especially after being redirected from a different page.
4. Use hardware wallets when possible, as they store private keys offline.
5. Keep your device updated and use security solutions that detect such threats.

As detailed in the distribution methods, even apps that appear legitimate can be malicious. Always cross-check with official sources before downloading.

What have Apple and security researchers done in response?

Upon discovery in March 2026, Kaspersky researchers immediately reported all 26 confirmed phishing apps to Apple. Apple has since removed several of the malicious apps from the App Store. However, additional apps that did not yet contain phishing code but appeared linked to the same actors were also flagged; these remain under review. The security community continues to monitor for new variants and updated modules. Kaspersky’s detection signatures (HEUR:Trojan-PSW.IphoneOS.FakeWallet.*) now cover this threat, and users are advised to run security scans if they have recently installed any wallet apps from the Chinese store. The incident highlights ongoing challenges in App Store vetting and the need for users to remain vigilant.