Global cybersecurity firm Kaspersky has uncovered 26 malicious applications on the Apple App Store masquerading as popular cryptocurrency wallets, including MetaMask, Ledger, Trust Wallet, and Coinbase.
The fraudulent apps redirect users to phishing pages that imitate the official App Store, ultimately tricking victims into installing trojanized wallets designed to steal their digital assets. According to Kaspersky Threat Research, the campaign has been active since at least the fall of 2025 and is attributed with moderate confidence to the threat actors behind SparkKitty.
Other major wallets mimicked in this campaign include TokenPocket, imToken, and Bitpie.
The Attack Vector: From “Stub” Apps to Malicious Profiles
The initial applications bypass App Store security by presenting “stub functionality,” appearing as harmless utilities like calculators, games, or to-do-list managers. Once downloaded and launched, these apps open a webpage mimicking the App Store, prompting the user to download the actual “crypto wallet”. (Read More: 6 Essential Security Tips for Protecting Your Crypto Assets)
The installation process relies on confusing the user into approving a corporate developer profile. This allows the attackers to install the trojanized app from outside the official App Store ecosystem.
Targeting Hot and Cold Wallets
The malware is tailored to specific wallets, targeting both hot and cold storage solutions.
For hot wallets, the trojan intercepts the wallet creation or recovery screen to capture seed phrases, giving attackers full access to the victim’s funds.
For cold wallets, the tactic shifts to phishing. For instance, the legitimate Ledger smartphone app functions only as a frontend and never asks for a seed phrase, as private keys are securely stored on a separate hardware device. However, the malicious fake app actively tries to trick the user into manually inputting their seed phrase. (Read More: Be Alert: Types of Crypto Scams and How to Avoid Them)
Global Risk Despite Regional Origins
While the malicious apps were predominantly found in the Chinese iOS App Store, Kaspersky warned that the malicious modules themselves have no regional restrictions. Consequently, crypto users in the Philippines and other global markets remain equally exposed to the threat. The firm has already reported all detected malicious applications to Apple.
“While the apps that kick off the attack chain are not inherently malicious, they lead to the user installing a trojan in the end,” said Sergey Puzan, mobile malware expert at Kaspersky. “By paying a fee and setting up a developer account, the attackers can target any iOS device if the user succumbs to the phishing tactic. Users should be wary of the risks related to managing their crypto wallets even on devices that they consider safe, such as iPhones”.
Safety Recommendations
To stay safe, Kaspersky advises users to follow these precautions:
- Be cautious when following links from inside apps, especially if a page appears unexpectedly.
- Do not install developer profiles unless explicitly provided by an employer.
- Ensure recovery phrases are entered only on the physical wallet device; legitimate apps like the original Ledger Wallet will never request it.
- Always verify that the installed app is from a legitimate publisher, and habitually check download links against the official developer website.
This article is published on BitPinas: Kaspersky Identifies 26 Fake Crypto Wallets on Apple App Store Designed to Drain Digital Assets
Listen to our latest episode
What else is happening in Crypto Philippines and beyond?
