Twenty-six malicious applications infiltrated Apple's App Store in China, impersonating legitimate wallets including Metamask, Coinbase, and Trust Wallet to steal recovery phrases and drain cryptocurrency assets. The threat actor employed typosquatting and fake branding techniques, publishing the apps as games or calculators to bypass regional restrictions on crypto-related software. Kaspersky researchers dubbed the campaign FakeWallet and linked it to the SparkKitty operation active since last year.
Once installed, the malicious apps redirect users to phishing pages that encourage downloading trojanized wallets through iOS provisioning profiles, abusing legitimate enterprise features to sideload malware. The trojanized versions intercept mnemonic phrases during wallet setup or recovery screens, encrypting them with RSA and Base64 before exfiltrating to attackers. For cold wallets like Ledger, the apps display fake security verification prompts tricking users into manually entering seed phrases.
These recovery phrases enable attackers to restore victims' wallets on their own devices and drain funds without recovery possibility. The campaign primarily targets Chinese users but lacks geographic restrictions, potentially affecting global victims if operators expand their scope. Apple removed all 26 apps following responsible disclosure, though the company has not commented on how the malicious applications bypassed App Store verification. Cryptocurrency holders are advised to verify app publishers even on official stores and use only links from legitimate websites. A similar fraudulent Ledger app previously stole $9.5 million from 50 macOS users on Apple's platform.
Read more...