Fake Crypto Wallet Apps Target Users on Apple App Store
In March 2026, Kaspersky uncovered over twenty phishing applications on the Apple App Store disguised as popular cryptocurrency wallets. These fraudulent apps redirect users to deceptive web pages that mimic legitimate wallet interfaces, allowing attackers to harvest recovery phrases and private keys. The operation, active since late 2025, highlights a resurgence of targeted schemes exploiting user trust in well-known crypto services.
Recent trends show a concerning evolution in phishing tactics, particularly in the distribution channels used to deliver malicious payloads. Key to this campaign is the practice of typosquatting, where attackers create slightly altered app names or icons to evade detection, capitalizing on the unavailability of official wallet apps in China. The reported apps often feature stubs that may appear harmless, masking their true intent until a user engages further. The included images illustrate how the malicious apps ranked in search results and included promotional claims that misled users into believing they were legitimate.
The malware primarily targets users in China, but its design makes it accessible to international users due to adaptive phishing notifications that adjust based on language settings. This broadens the potential scope for victimization beyond the intended regional targets. Significant risk also arises from the advanced capabilities of the malicious modules, which include specialized functions tailored to extract sensitive information directly from the wallet recovery process without requiring further interaction.
Defensive Context
Organizations and individuals using cryptocurrency wallets must stay vigilant against phishing attacks, specifically those targeting popular hot and cold wallets. This campaign underscores the need for heightened awareness about downloading apps from official app stores and verifying the authenticity of applications before sharing sensitive information.
Why This Matters
The implications of these phishing activities reflect a real-world risk to anyone who engages with cryptocurrency platforms. Users of popular wallets like MetaMask, Ledger, and Trust Wallet need to exercise extreme caution, particularly in environments where regulations limit access to official applications.
Defender Considerations
While Kaspersky has reported several compromised applications to Apple, organizations must actively monitor for IOCs tied to the malware and its associated infrastructure. Valuable indicators include the phishing app names and the known command-and-control server addresses. Engaging in proactive threat hunting and employing behavioral detection strategies against unauthorized app activities can help mitigate risks associated with such malware.
Indicators of Compromise (IOCs)
Infected cryptocurrency wallet IPA file hashes:
– 4126348d783393dd85ede3468e48405d
– b639f7f81a8faca9c62fd227fef5e28c
– d48b580718b0e1617afc1dec028e9059
– bafba3d044a4f674fc9edc67ef6b8a6b
Malicious dylib file hashes and file hashes for malicious React Native apps were also documented, emphasizing the diversity of techniques used across the campaign. Users should remain attentive to emerging threats that may leverage similar strategies in their application downloads and interactions.
