Kaspersky researchers have identified a malicious campaign dubbed “FakeWallet” that successfully infiltrated Apple’s App Store in China with 26 fraudulent cryptocurrency wallet applications. These apps, which impersonated popular services including MetaMask, Coinbase, Trust Wallet, and OneKey, have been linked to the theft of millions of dollars in cryptocurrency from Chinese users through sophisticated social engineering and technical subversion.
The threat actors behind FakeWallet employed a multi-stage attack strategy to bypass Apple’s stringent App Store review process. Recognizing that cryptocurrency wallet applications face restrictions in China, the attackers disguised their malicious offerings as innocuous utilities—publishing them as games, calculators, and productivity tools to avoid initial detection. Once installed, these decoy applications employed typosquatting techniques and fake branding to mimic legitimate wallet services, luring victims into a sophisticated phishing ecosystem rather than functioning as standalone theft tools.
According to Kaspersky’s analysis, the FakeWallet campaign represents an evolution of the SparkCat operation, an advanced persistent threat that has been active since 2024. The 26 identified applications served as entry points to a broader infrastructure designed specifically to compromise cryptocurrency holdings. Rather than containing the malicious payload directly—which would trigger App Store security scans—these applications functioned as redirectors, immediately sending users to external phishing pages meticulously designed to resemble legitimate crypto service portals.
The phishing sites orchestrated the second phase of the attack by convincing victims to download trojanized wallet applications using iOS provisioning profiles. This technique abuses Apple’s legitimate enterprise distribution feature, typically used by corporations to deploy internal software, to sideload malware onto victim devices outside the App Store’s protective ecosystem. This same provisioning profile methodology was previously observed in the broader SparkCat operation, strengthening the attribution link between the campaigns and demonstrating a consistent technical signature across the threat actor’s activities.
Once installed through this sideloading mechanism, the trojanized wallet applications contained malicious code specifically engineered to intercept mnemonic recovery phrases during wallet setup or restoration processes. The malware encrypted stolen seed phrases using RSA and Base64 encoding before transmitting them to attacker-controlled servers. These recovery phrases serve as the master keys to cryptocurrency wallets; possession allows threat actors to restore victims’ wallets on their own devices and drain funds irreversibly, bypassing all secondary authentication mechanisms including passwords and two-factor authentication.
For users employing cold storage hardware wallets such as Ledger, the attackers deployed alternative tactics. The trojanized applications presented in-app phishing prompts disguised as security verification screens, tricking victims into manually entering their seed phrases under the guise of routine security checks or firmware updates. Because legitimate hardware wallet manufacturers never request complete seed phrases through software interfaces, this social engineering approach proved particularly effective against less experienced cryptocurrency holders who believed they were interacting with legitimate security protocols.
While Kaspersky’s investigation indicates the campaign primarily targeted Chinese users through region-specific App Store infiltration, the malware infrastructure lacks geographic restrictions, posing a latent threat to cryptocurrency holders globally should the operators expand their targeting scope. The researchers emphasized that the attack chain demonstrates sophisticated operational security, leveraging trusted brand names and official distribution channels to establish initial compromise vectors before pivoting to sideloaded payloads.
Following Kaspersky’s responsible disclosure, Apple has removed all 26 identified FakeWallet applications from the Chinese App Store. However, questions remain regarding the specific techniques employed to bypass Apple’s application verification processes, particularly given the apps’ ability to masquerade as benign utilities while harboring functionality designed to facilitate cryptocurrency theft. BleepingComputer contacted Apple for comment on these verification bypasses but had not received a response by publication time.
This incident occurs against a backdrop of increasing attacks targeting cryptocurrency users through compromised application stores. Last week, security researchers uncovered a separate fraudulent Ledger Live application that infiltrated Apple’s App Store, resulting in the theft of approximately $9.5 million in cryptocurrency from 50 macOS users. The recurrence of such incidents within official distribution channels underscores the evolving sophistication of supply chain attacks targeting digital asset holders and the limitations of centralized app review processes against determined adversaries.
Cryptocurrency security experts recommend that users verify application publishers rigorously, even when downloading from official app stores, and access wallet software exclusively through links provided on verified official websites rather than searching store listings directly. Additionally, users should remain vigilant against any application requesting complete seed phrase entry, as legitimate wallet providers never solicit this information through mobile interfaces or unsolicited security prompts.
Source: Original article