Kaspersky Uncovers 26 Fake Crypto Wallet Apps Stealing Funds Through Apple Store

Kaspersky just caught 26 fake cryptocurrency wallet apps on Apple’s App Store. These things were built to drain digital assets from users who thought they were downloading the real deal.

The scam apps pretend to be MetaMask, Ledger, and Coinbase wallets. Users install what looks like a legit app, then get pushed to phishing pages that look exactly like the App Store. From there, victims download a trojanized wallet that empties their accounts. The whole operation started in fall 2025 and probably connects to SparkKitty iOS malware, according to Kaspersky’s research team. Chinese users were the main target, but anyone globally can get hit since the apps didn’t have regional locks. Kaspersky told Apple about the problem.

How the Fake Apps Work

The fraudulent apps don’t look suspicious at first. They offer random features like games and calculators to pass Apple’s initial review process. Pretty clever, actually. Once someone downloads one of these apps, it tricks them into installing a developer profile on their iPhone. That’s the key move right there.

Installing that profile lets the app pull in software from outside the App Store. Apple’s normal security checks don’t catch it. The fake wallets then mimic real wallet behavior perfectly, compromising both hot wallets and cold storage devices. Users think they’re managing their crypto safely, but the malware is already working in the background.

Cyber attackers found a way to exploit Apple’s enterprise developer tools. These tools were meant for companies to distribute internal apps to employees. But criminals set up developer accounts and use them to target any iOS device. All they need is for users to fall for the phishing attempt and install that developer profile. Even iPhones, which people consider pretty secure, aren’t safe from this kind of attack.

The scam works because many official versions of popular wallet apps aren’t available in the Chinese iOS App Store. That gap creates demand, and the fake apps fill it. People searching for MetaMask or Ledger alternatives end up downloading these malicious versions instead. Kaspersky’s team found the apps use a sophisticated attack chain where they act as the entry point for installing more malware later.

Counterfeit Hardware Devices Join the Mix

A fake Ledger Nano S Plus device turned up in a separate phishing operation. Someone bought it through an online marketplace, and it looked totally genuine at first glance. But when they tried to verify it with Ledger Live, the device failed.

A Brazilian researcher took the thing apart and found mismatched components inside. The device had extra WiFi and Bluetooth antennas that shouldn’t be there. Those antennas were designed to transmit data, probably sending sensitive information back to the attackers. The counterfeit device stored PIN codes and seed phrases in plaintext, which is basically the worst possible security practice. Real Ledger devices encrypt everything.

Read also: HackerOne Logs 85,000 Valid Bug Reports in 2025 as AI Tools Flood Platforms

This attack didn’t exploit any vulnerability in Ledger’s actual security system. It relied on fake hardware and phishing to compromise users. The counterfeit device case shows how far cybercriminals will go to breach crypto wallet security. They’re not just making fake apps anymore. They’re manufacturing physical devices that look identical to the real thing.

When the fake Ledger connected to Ledger Live, it immediately failed verification. That’s when the owner knew something was wrong. Opening up the device revealed components that didn’t match legitimate Ledger hardware. The presence of those additional antennas was the biggest red flag. Legitimate hardware wallets don’t need WiFi or Bluetooth to function safely.

The fake apps on the App Store used a similar deception tactic. They included basic features that made them seem harmless. A calculator app or a simple game wouldn’t raise suspicions during Apple’s review process. But once installed, the apps guided users to a fake App Store webpage. That page looked exactly like Apple’s real store, complete with the same design and layout.

Users thought they were downloading the wallet app they wanted. Instead, they got a trojanized version that immediately started working to steal their funds. The attack methodology mirrors SparkKitty malware, which also leverages Apple’s enterprise developer tools for distribution. Once that developer profile gets installed on someone’s device, the attackers can push through apps that bypass Apple’s security entirely.

Kaspersky’s investigation found that these apps specifically target the gap in the Chinese market. With official wallet apps unavailable, users actively search for alternatives. The fake apps rank well in search results and look professional enough to fool most people. Reviews might even be faked to add legitimacy.

More context: North Koreas Lazarus Group Targets Mac Users with Fake Meeting Invites to Steal Crypto Wallets

The counterfeit Ledger device incident shows purchasing hardware wallets from unauthorized sources carries serious risks. The device looked perfect on the outside. Same packaging, same branding, same weight and feel. Only Ledger Live’s verification process caught it. Without that check, the user would have loaded their crypto onto a compromised device and lost everything.

Firmware examination revealed the device stored everything in plaintext. No encryption, no security measures. Every PIN entered, every seed phrase generated—all of it sat there readable by anyone who accessed the device’s memory. The WiFi and Bluetooth antennas could transmit that data anywhere the attackers wanted.

Both cases highlight ongoing threats facing crypto users right now. Software attacks through fake apps, hardware attacks through counterfeit devices. The sophistication keeps increasing. Attackers aren’t relying on one method. They’re hitting users from multiple angles, exploiting trust in both Apple’s App Store and legitimate hardware wallet brands.