In March 2026, cybersecurity researchers uncovered a sophisticated campaign targeting cryptocurrency users through malicious apps on the Apple App Store. Dubbed FakeWallet, this malware family has been quietly stealing recovery phrases and private keys from popular crypto wallets. Here are ten critical insights into how this threat operates, what makes it unique, and how you can protect yourself.

1. Over 20 Phishing Apps Discovered in the App Store

Security analysts identified more than twenty fraudulent applications lurking in the Apple App Store during a routine scan in March 2026. These apps masqueraded as well-known crypto wallets like MetaMask, Ledger, and Trust Wallet. Instead of providing wallet functionality, they redirected users to browser pages that mimicked the App Store interface, distributing trojanized versions of legitimate wallets. This clever deception allowed the attackers to bypass initial security checks and reach unsuspecting victims.

2. The Malware Specifically Targets Recovery Phrases and Private Keys

Once installed, the FakeWallet malware is engineered to harvest sensitive credentials—namely recovery phrases (seed phrases) and private keys. These are the golden keys to any cryptocurrency wallet. By capturing them, attackers gain full control over the victim's funds. The infection process is silent: users are tricked into entering their credentials on fake login pages that look identical to genuine wallet interfaces, but all data is funneled directly to the attackers' servers.

3. The Campaign Has Been Active Since Fall 2025

Metadata extracted from the malware and associated infrastructure indicates that this campaign has been running under the radar for at least six months before the March 2026 discovery. Evidence suggests the threat actors refined their techniques over time, adding new malicious modules and updating injection methods. This longevity highlights the challenges in detecting such stealthy, evolving threats within curated app stores.

4. A Return of a Known Threat Pattern

This is not the first time researchers have seen such a scheme. Back in 2022, ESET researchers documented compromised crypto wallets distributed through phishing sites that abused iOS provisioning profiles to sideload malware. Those earlier attacks targeted major hot wallets including Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. The 2026 wave represents a resurgence, now with enhanced capabilities and distribution via official App Store apps rather than external phishing sites.

5. Scammers Exploit Regional Restrictions in China

A key factor in the success of this campaign is the unavailability of many official crypto wallet apps in the Chinese App Store due to regional restrictions. Users with Apple IDs set to the Chinese region cannot legally download apps like MetaMask or Coinbase. The attackers exploit this gap by forging apps with similar icons and names—often with intentional typos (typosquatting)—to evade App Store filters and lure users searching for legitimate wallets.

6. Deceptive App Names and Promotional Banners

In some cases, the fraudulent apps used names and icons completely unrelated to cryptocurrency. However, their in-app promotional banners claimed the official wallet was unavailable in the App Store and directed users to download a 'special version' through the fake app itself. This redirection led victims straight to the malware-infected download pages, bypassing standard security checks that might have blocked the direct distribution of trojanized files.

7. Twenty-Six Specific Wallets Were Mimicked

During the investigation, researchers pinpointed 26 distinct phishing apps that impersonated seven major wallets: MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. Each app was carefully crafted to replicate the look and feel of the original, down to login screens and transaction history pages. The list was reported to Apple, and several have since been removed from the store, but the threat actors continue to submit new variants.

8. Not All Malicious Apps Were Active at the Time of Discovery

Intriguingly, some apps identified in the store exhibited no overt phishing functionality during initial analysis. However, they shared code structures, developer accounts, and update patterns with the confirmed malware. Experts believe these were sleeper apps, with malicious features waiting to be activated via a future update. This technique allows attackers to bypass initial App Store reviews and later switch on the harmful payload without triggering a new review cycle.

9. The Use of Stubs to Evade Detection

To appear legitimate and avoid immediate suspicion, the phishing apps included functional stubs—placeholders that performed a simple, harmless task. For example, one app might act as a calculator, a game, or a task planner. This layer of camouflage made the apps look genuine to casual reviewers and automated scanning tools, while the actual malicious code lay dormant until the user took specific actions, like clicking a phishing banner.

10. Detection and Protection Measures

Kaspersky products detect these threats under two generic signatures: HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*. To stay safe, users should always download crypto wallets directly from the official website of the wallet provider, verify developer names carefully, and avoid apps with promotional banners urging off-store downloads. Additionally, enable two-factor authentication on your Apple ID and use a reputable mobile security solution to scan for suspicious behaviors.

Conclusion

The FakeWallet campaign is a stark reminder that even curated app stores like the Apple App Store can harbor sophisticated malware. By exploiting regional restrictions, typosquatting, and sleeper updates, the attackers have created a persistent threat. Awareness and cautious downloading habits are your best defense. Always double-check app legitimacy, and never enter your recovery phrase or private key into any interface that you did not explicitly initiate from an official source.