The App Store ecosystem has been infiltrated by a coordinated wave of fraudulent cryptocurrency wallet applications that exploit regional platform restrictions and user trust to steal credentials from iOS users. More than two dozen malicious apps have been identified as related to a campaign called “FakeWallet,” which has been active since at least late 2025 and was designed to harvest passwords and private keys from unsuspecting users via the use of various malware programs.
During the early months of March, counterfeit wallet applications became prominent in search results within China’s App Store after they began appearing prominently in search results, posing a threat to the legitimacy of several legitimate crypto wallet services due to regulatory restrictions.
In addition to replicating the trusted wallet branding, abusing typosquatting techniques and embedding deceptive prompts leading users towards unofficial wallet downloads, the campaign blurred the distinction between genuine financial tools and malicious software, significantly increasing iPhone users’ chances of committing cryptocurrency theft.
During technical analysis, Kaspersky determined that phishing applications were primarily used as delivery mechanisms for trojanized cryptocurrency wallet software to be installed via browsers.
According to the researchers, malicious payloads are commonly embedded through third-party libraries embedded within the applications, despite several samples demonstrating direct modifications of the wallet code itself, indicating a more sophisticated level of tampering.
According to the researchers, malicious payloads are commonly embedded through third-party libraries embedded within the applications, despite several samples demonstrating direct modifications of the wallet code itself, indicating a more sophisticated level of tampering.
Through reverse engineering, special routines have been found that can intercept and exfiltrate recovery phrases as well as seed phrases, while simultaneously manipulating the wallet restoration process for recovering hot wallets.
The investigation also identified two separate implants targeting cold wallets hosted on Ledger, extending the campaign’s scope beyond software-based assets to hardware wallet users as well.
The investigation also identified two separate implants targeting cold wallets hosted on Ledger, extending the campaign’s scope beyond software-based assets to hardware wallet users as well.
A counterfeit website impersonating Ledger’s official platform was also discovered by researchers, which distributed malicious iOS application links and compromised Android wallet packages hosted on Chinese-language phishing websites outside of Google Play.
It is unclear whether the malware modules had geographic enforcement mechanisms despite the infrastructure and linguistic indicators suggesting that Chinese-speaking victims were targeted.
It is unclear whether the malware modules had geographic enforcement mechanisms despite the infrastructure and linguistic indicators suggesting that Chinese-speaking victims were targeted.
It is of concern that the campaign may easily be extended to international targets based on some phishing prompts that dynamically adapt to the language settings of the infected application.
Furthermore, the operation has been linked to the previously identified SparkKitty malware cluster, which was discovered last year, based on overlapping distribution tactics, cryptocurrency-centered targeting patterns, Chinese-language debugging strings within the malicious code, and the inclusion of SparkKitty-related components within several analyzed programs.
Furthermore, the operation has been linked to the previously identified SparkKitty malware cluster, which was discovered last year, based on overlapping distribution tactics, cryptocurrency-centered targeting patterns, Chinese-language debugging strings within the malicious code, and the inclusion of SparkKitty-related components within several analyzed programs.
When the findings were disclosed to Apple, they were notified and the identified malicious applications have since been removed from the App Store. According to court records reviewed by Forbes, the incident occurred as a result of a targeted home invasion last month in Winnetka, where attackers allegedly used social engineering tactics to gain physical access to the victim’s property.
Investigators reported t
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: