Kaspersky discovered over two dozen phishing apps in the Chinese Apple App Store mimicking popular and trusted crypto wallets.
Last month, security researchers at Kaspersky uncovered 26 phishing apps in the App Store masquerading as popular crypto wallets. Because of regional restrictions, most official crypto wallet apps are unavailable to users in China. Scammers used this to jump on the opportunity by dropping fake apps in the Chinese App Store.
The malicious apps pretended to be legit versions of major wallet apps, including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. By using a tactic called typosquatting, the scammers tried to deceive inattentive users.
According to the researchers, the promotional banners for these apps claimed that the official wallet was “unavailable in the App Store” and instructed users to download it through the app instead. Users were then redirected to browser pages that were designed to look like the App Store. Instead of downloading and installing the bona fide wallet apps, users received trojanized versions.
The scammers abused iOS provisioning profiles to install infected versions of crypto wallets onto the victim’s device. Apple designed provisioning profiles so companies can create and deploy internal apps to employees without going through the App Store. Enterprise provisioning profiles are a favorite tool for makers of software cracks, cheats, online casinos, pirated mods of popular apps, and malware, Kaspersky argues.
Once the fake crypto wallet apps were installed, the attackers were able to steal recovery phrases from popular crypto wallets.
“The infected apps are specifically engineered to hijack recovery phrases and private keys. Metadata from the malware suggests this campaign has been flying under the radar since at least the fall of 2025,” Kaspersky said in a report detailing the malware campaign.
While the campaign is not exceptionally complex from a technical standpoint, it poses serious risks to users. The fake crypto wallet apps and Kaspersky’s findings have been reported to Apple. Several of the malicious apps have already been pulled from the store.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked