FakeWallet campaign smuggles 26 crypto-draining apps into China's App Store

Kaspersky has tied 26 malicious iOS apps to a campaign it calls FakeWallet, an extension of the SparkKitty operation active since last year. The apps impersonated MetaMask, Coinbase, Trust Wallet, and OneKey using typosquatted names and cloned branding, but shipped on the App Store disguised as games and calculators to slip past China’s restrictions on crypto wallet software.

Once launched, the apps routed victims to phishing pages that pushed trojanized wallet builds via iOS enterprise provisioning profiles — the same sideloading trick SparkKitty used previously. The modified wallets hooked setup and recovery flows to capture mnemonic seed phrases, encrypt them with RSA plus Base64, and exfiltrate them. For hardware wallets like Ledger, fake in-app security prompts coaxed users into typing seed phrases by hand. A seed phrase is all an attacker needs to restore a wallet on their own device and empty it, with no recovery path for the victim.

Apple pulled all 26 apps after disclosure, but the incident follows a separate case last week in which a rogue Ledger app on the App Store drained $9.5 million from 50 macOS users. The review process keeps failing against operators who bury malicious behavior behind phishing redirects and sideloaded payloads, and while FakeWallet’s current lures target Chinese users, the malware itself has no geofencing.