10 Critical Facts About the FakeWallet Crypto Stealer Infiltrating Apple's App Store

In March 2026, security researchers uncovered a coordinated campaign targeting cryptocurrency users through the Apple App Store. Over two dozen fake wallet apps—disguised as legitimate platforms like MetaMask and Ledger—were found stealing recovery phrases and private keys. This listicle breaks down the technical details, regional targeting, and historical context of this evolving threat. Read on to understand how the scam works, who's at risk, and what steps Apple has taken so far. Each numbered item below reveals a key aspect of the FakeWallet operation, from its discovery to its underlying code.

1. Discovery: 26 Phishing Apps in the App Store

In early 2026, researchers identified 26 malicious apps lurking in Apple's official marketplace. These apps posed as well-known crypto wallets—MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. The phishing campaign was first spotted in the Chinese App Store, where regional restrictions made official wallet apps unavailable. Scammers exploited this gap by submitting fake apps with convincing icons and names. Apple removed several after being notified, but the incident underscores how even curated stores can harbor serious threats.

2. How the Attack Works: Redirects and Trojanized Downloads

Once a user launches a FakeWallet app, it immediately redirects to browser pages that mimic the App Store or official wallet sites. These pages then distribute trojanized versions of legitimate wallets. The infected apps are engineered to hijack recovery phrases and private keys upon installation. By blending in with official download flows, the attackers increase the chance that victims will voluntarily install the malware. The stolen credentials are then sent to command-and-control servers controlled by the threat actors.

3. Primary Objective: Stealing Recovery Phrases and Private Keys

The core goal of the FakeWallet malware is to capture a user's seed phrase or private key. These credentials unlock cryptocurrency wallets, allowing attackers to drain funds completely. The malicious code intercepts key inputs and exfiltrates them in the background. Because recovery phrases are often stored locally or typed directly into the app, the trojanized versions can easily harvest them. Once stolen, funds are transferred to attacker-controlled addresses, often within minutes. This makes the malware particularly dangerous for high-value wallet holders.

4. Campaign Timeline: Active Since Fall 2025

Metadata embedded within the FakeWallet samples suggests the campaign began as early as September 2025. The attackers operated under the radar for months before the March 2026 discovery. During that time, they likely updated the malware with new modules and injection techniques. The prolonged stealth phase indicates a well-organized operation. Researchers believe the actors continuously monitored detection rates and adjusted their infrastructure to avoid alerting Apple or security vendors.

5. Historical Precedent: ESET's 2022 Discovery

This is not the first time crypto thieves have abused iOS provisioning profiles. In 2022, ESET researchers uncovered similar malware distributed through phishing websites. That earlier campaign also targeted hot wallets like MetaMask and Coinbase. The 2025–2026 version appears to be a direct evolution—sharing the same core technique of sideloading trojanized apps. However, the new variant features improved injection methods and now uses the App Store itself as a distribution channel. The continuity shows how threat actors refine old tactics for new platforms.

6. New Malicious Modules and Injection Techniques

Compared to the 2022 attack, the FakeWallet campaign adds several upgrades. It includes new malicious modules that can intercept clipboard data, monitor background processes, and evade security checks. The injection techniques now use dynamically generated URLs and encrypted payloads to bypass static analysis. Additionally, the attackers implemented region-aware behavior—only activating the phishing functionality when the device's locale matches target markets. These innovations make the malware harder to detect and remove.

7. Kaspersky Detection Names

Kaspersky security products detect the FakeWallet malware under two main families: HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*. The first variant targets password-stealing functions, while the second focuses on general trojan behavior. These names are generated heuristically, meaning they may vary slightly between samples. Users running Kaspersky with updated databases should receive alerts if they attempt to install any of the known fake wallet apps. Other antivirus vendors likely use similar classifications.

8. Regional Targeting: Chinese App Store Restrictions

The attack specifically focused on users in China, where official crypto wallet apps are often unavailable due to Apple ID region restrictions. By searching for terms like 'Ledger Wallet' in the Chinese App Store, users would see fake apps at the top of results. The attackers used typosquatting—intentional misspellings—to slip past Apple's review process. For instance, 'MetaMask' appeared as 'MetaMaskk' or similar variants. The regional limitation created a vacuum that scammers eagerly filled.

9. Deceptive Screenshots and Stubs

Many fake apps promoted themselves with screenshots claiming the official wallet was 'unavailable in the App Store' and directing users to download via the fake app. Some apps had icons and names completely unrelated to crypto—like games or calculators—but used promotional banners to lure victims. These apps included functional stubs: simple placeholders (e.g., a calculator or planner) that made the app appear legitimate. Meanwhile, the real malicious code waited in the background, ready to activate on a targeted user.

10. Apple's Response and Future Update Risk

Researchers reported all 26 apps to Apple, and several were promptly removed from the store. However, they also identified additional apps that lacked phishing functionality at the time but exhibited strong links to the same threat actors. These 'clean' apps could receive malicious updates later, toggling on the stealware. This pattern—using benign stubs as testing ground—highlights a growing challenge for app store moderation. Users should remain cautious and avoid downloading any wallet app not directly from the official developer.

The FakeWallet campaign serves as a stark reminder that even trusted app stores are not immune to sophisticated phishing. By combining typosquatting, regional leverage, and modular malware, the attackers created a persistent threat. While Apple has taken initial steps, the possibility of future updates means vigilance is key. Always verify app developers, read reviews carefully, and never enter recovery phrases into third-party apps. Stay safe, and remember that in the crypto world, your keys are your coins—protect them at all costs.