Starexe
HomeFinance & Crypto › The FakeWallet Crypto Stealer: Inside the App Store Phishing Campaign
📖 Tutorial

The FakeWallet Crypto Stealer: Inside the App Store Phishing Campaign

Last updated: 2026-05-03 01:10:33 Intermediate
Complete guide
Follow along with this comprehensive guide

In March 2026, security researchers uncovered a sophisticated campaign distributing phishing apps through the Apple App Store. Dubbed FakeWallet, this malware targets cryptocurrency users by mimicking legitimate wallet applications. Below, we answer key questions about this evolving threat, its techniques, and how to stay safe.

What is the FakeWallet crypto stealer and how does it work?

FakeWallet is a family of trojanized applications that appear as legitimate crypto wallets in the Apple App Store. When a user downloads and launches one of these fake apps, it redirects them to a browser page designed to look like the official App Store. This page then offers a trojanized version of a real wallet for download. Once installed, the malicious software is engineered to hijack recovery phrases and private keys. The malware has been active since at least fall 2025, flying under the radar with frequent updates and new injection techniques. Kaspersky detects it as HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*.

The FakeWallet Crypto Stealer: Inside the App Store Phishing Campaign
Source: securelist.com

How did attackers bypass Apple's App Store security to distribute these apps?

The attackers exploited a gap caused by regional restrictions. Many official crypto wallets are unavailable on the Chinese App Store due to local regulations. Scammers took advantage of this by creating apps with typosquatted names and icons that closely mimic the originals. Some apps had completely unrelated names and icons, but their promotional banners falsely claimed the official wallet was "unavailable in the App Store" and directed users to download via the app itself. These apps often included a functional stub — such as a game, calculator, or task planner — to appear legitimate and evade automated review. Once downloaded, the malicious behavior could be triggered from a remote server, with some apps containing dormant code awaiting activation in future updates.

Which specific crypto wallets were mimicked in this campaign?

During the investigation, 26 phishing apps were identified in the App Store masquerading as the following major wallets:

  • MetaMask
  • Ledger
  • Trust Wallet
  • Coinbase
  • TokenPocket
  • imToken
  • Bitpie

All findings were reported to Apple, and several malicious apps have already been removed. Additionally, researchers found similar apps without active phishing functionality but clearly linked to the same threat actors — likely waiting for a future update to enable malicious features. This targeting list covers both hot wallets (like MetaMask) and hardware wallet companion apps (like Ledger Live), indicating the attackers aimed to steal recovery phrases from as many users as possible.

Is this the first time such a crypto-theft scheme has been seen?

No. In 2022, ESET researchers discovered compromised crypto wallets distributed through phishing sites. That earlier campaign abused iOS provisioning profiles to install malware, stealing recovery phrases from major wallets like MetaMask, Coinbase, Trust Wallet, and others. Fast forward to 2026, and the same core threat is resurgent with new malicious modules, updated injection techniques, and a new distribution method — phishing apps submitted directly to the App Store rather than relying solely on sideloading. The current campaign demonstrates how threat actors evolve their tactics over time while exploiting the same human trust in official app marketplaces.

The FakeWallet Crypto Stealer: Inside the App Store Phishing Campaign
Source: securelist.com

What technical indicators can users look for to identify FakeWallet apps?

Users should be cautious of the following red flags:

  • Typos in app names — even one misspelled letter (e.g., "Ledger" instead of "Ledger") is a warning.
  • Unusual promotional banners claiming the official wallet is unavailable and offering a download link.
  • Apps with no visible cryptocurrency features — some fake apps are actually games or calculators, but their banners push crypto downloads.
  • Requests for recovery phrases or private keys — legitimate wallets never ask for these in any context.
  • Check developer names and reviews: fake apps often have few reviews or suspiciously positive ones.

Always download wallet apps directly from the official website link provided by the developer, and verify the app's bundle identifier matches the official one. If in doubt, avoid the app and report it to Apple.

How can users protect their cryptocurrency from FakeWallet and similar threats?

To stay safe, follow these best practices:

  1. Only download wallet apps from well-known official sources, ideally via links from the developer's verified website or social media accounts.
  2. Enable two-factor authentication (2FA) on all exchange and wallet accounts.
  3. Never share your recovery phrase or private key — not even with an app that claims to be a wallet.
  4. Keep your device and apps updated to the latest OS versions, which include security patches.
  5. Use reputable mobile security software that can detect trojans, such as Kaspersky’s products which already detect this threat under detection names HEUR:Trojan-PSW.IphoneOS.FakeWallet.*.
  6. If an app behaves strangely after installation — like opening a browser automatically — uninstall it immediately and change your wallet credentials.

Regularly monitor your crypto wallets for unauthorized transactions and consider using hardware wallets for large holdings.