# FakeWallet Campaign: Crypto-Stealing Apps Target Apple App Store Users  Researchers have uncovered a network of 26 malicious apps on the **Apple App Store** masquerading as legitimate cryptocurrency wallets. The goal: to steal recovery or seed phrases and drain users' cryptocurrency assets. ## Deceptive Tactics The threat actors behind this campaign employed several techniques to mimic official products. This included typosquatting (using slightly misspelled names) and creating fake branding to deceive users, primarily in China, into downloading the malicious apps. Due to restrictions on cryptocurrency-related apps in China, the attackers disguised the malicious apps as games or calculator utilities, likely attempting to circumvent the bans. ## SparkKitty Connection **Kaspersky** researchers have linked all 26 fake apps to a single campaign, which they have named FakeWallet. They associate it with the **SparkKitty** operation, which has been active since last year. ## Phishing and Trojanized Apps Upon opening the fake apps, users are redirected to phishing pages designed to look like legitimate portals for cryptocurrency services. These sites trick victims into downloading trojanized wallet apps using **iOS** provisioning profiles. This is a legitimate enterprise feature that is being abused to sideload malware onto devices, a technique also observed in the SparkKitty campaign.  *Fake website impersonating Ledger. Source: Kaspersky* The trojanized apps contain malicious code that intercepts mnemonic phrases during wallet setup or recovery. These phrases are encrypted with **RSA** and **Base64**, then sent to the attacker.  *Installing a provisioning profile. Source: Kaspersky* For cold wallets such as **Ledger**, attackers use in-app phishing prompts to trick users into manually entering their seed phrases via fake security verification screens. These seed phrases, intended for wallet porting/recovery, allow the threat actors to restore the victim’s wallet on their own devices and steal the funds.  *Seed phrase phising screen. Source: Kaspersky* ## Geographic Targeting and Mitigation **Kaspersky** noted that the campaign primarily targets users in China. However, the malware itself has no geographic restrictions, meaning it could potentially affect users worldwide if the operators decide to broaden their scope. Cryptocurrency holders are strongly advised to carefully verify the publisher of any apps they download, even from official app stores. It is recommended to only use links provided on the official website of the cryptocurrency wallet provider. ## Previous Incidents This incident follows a recent discovery of a fraudulent **Ledger** app on the **Apple App Store** that stole $9.5 million worth of cryptocurrency from 50 **macOS** users. ## Apple's Response **Apple** has removed all 26 FakeWallet apps from the App Store following **Kaspersky’s** disclosure. **BleepingComputer** has contacted **Apple** for comment on the threat actor's methods for bypassing App Store verifications, but has not yet received a response.