26 Fake Crypto Wallet Apps Infiltrate Apple App Store, Steal Recovery Phrases
Breaking: Cryptocurrency Theft Campaign Hits App Store
March 2026 — Security researchers have uncovered over 26 malicious apps in the Apple App Store that masquerade as popular cryptocurrency wallets. Once installed, these apps redirect users to browser pages that deliver trojanized versions of legitimate wallets, specifically engineered to steal recovery phrases and private keys.
The malware has been active since at least fall 2025, but this March marked a significant escalation in distribution,
said a Kaspersky threat analyst who requested anonymity due to ongoing investigations. The apps are detected by Kaspersky products as HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*.
Victims see their digital assets drained within minutes of entering their secret recovery phrases. The campaign exploits the fact that many official crypto wallets are unavailable in certain regions—notably China—due to App Store restrictions.
Background
In March 2026, Kaspersky researchers noticed a wave of phishing apps topping search results in the Chinese App Store. All were disguised as well-known crypto wallets such as MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie.
Because Apple IDs set to the Chinese region cannot access many official wallet apps, scammers have seized the opportunity. They use typosquatting—intentional misspellings—and nearly identical icons to slip past App Store filters and trick users.
Some apps had names and icons unrelated to crypto, but their promotional banners falsely claimed the official wallet was unavailable in the App Store
and directed downloads through the malicious app instead. In total, 26 such apps were identified.
Kaspersky reported all findings to Apple, and several apps have already been removed. However, researchers also found similar apps that showed no phishing functionality yet—suggesting the malicious features could be toggled on in a future update. These apps often contained functional placeholders (stubs) like games or calculators to appear legitimate.
This is a classic bait-and-switch tactic,
explained one Kaspersky researcher. The stub is designed to bypass App Store review, then later updated to inject the theft module.
What This Means
This campaign marks a dangerous evolution in mobile crypto theft. Unlike earlier attacks in 2022 that used phishing sites and iOS provisioning profiles, this new wave distributes malware directly through the App Store—a platform many users trust implicitly.
With new malicious modules and updated injection techniques, the threat actors are becoming more sophisticated. Users who install what they believe is an official wallet may unknowingly hand over their recovery phrases, resulting in irreversible loss of funds.
Kaspersky urges all iOS users to verify wallet apps by checking the developer name, reading recent reviews, and avoiding any app that asks for a seed phrase outside its official interface. Never enter your recovery phrase into any app unless you are absolutely certain it is the genuine wallet,
the analyst warned.
Apple has not commented on the timeline for removing the remaining apps, but researchers expect further takedowns in the coming days. Users who suspect they have installed a fake wallet should immediately transfer their assets to a new, secure wallet and change all associated passwords.