- Researchers discovered 26 malicious apps on the Apple App Store, dubbed FakeWallet, designed to steal cryptocurrency wallet recovery phrases and private keys.
- The scam, active since at least fall 2025, cleverly mimicked major wallets like Bitpie, Coinbase, and Ledger to deceive users.
- In a separate development, cybersecurity experts identified MiningDropper, a sophisticated Android malware framework combining coin mining with information theft.
- The threat actors employed new tactics, from abusing iOS provisioning profiles to using phishing apps directly in the App Store to deliver their payloads.
Cybersecurity researchers from Kaspersky have uncovered a cluster of malicious apps on Apple’s official App Store that impersonate popular cryptocurrency wallets to steal sensitive user data, a campaign active since at least the fall of 2025. These apps, primarily available to users with Apple accounts set to China, represent a significant escalation in mobile-based crypto-theft schemes targeting both hot and cold storage solutions.
Dubbed FakeWallet, the 26 apps mimicked wallets from providers like MetaMask, Trust Wallet, and Ledger using typos in their names and copied icons. However, Kaspersky researcher Sergey Puzan explained that “once launched, these apps redirect users to browser pages designed to look similar to the App Store and distribute trojanized versions of legitimate wallets.”
The infected applications were engineered to hijack recovery phrases either by code injection or by presenting fake verification pages. Consequently, the stolen mnemonic phrases were exfiltrated to external servers, granting attackers full control to drain victims’ digital assets.
This campaign is suspected to be linked to actors behind the SparkKitty trojan, as both operations target cryptocurrency assets and appear to be the work of native Chinese speakers. Meanwhile, the discovery of FakeWallet coincides with a report on a separate, sophisticated Android threat.
Cybersecurity firm Cyble has detailed a new Android malware delivery framework called MiningDropper. This modular malware, distributed via trojanized apps and fake banking websites, combines cryptocurrency mining with capabilities for information theft and remote access. According to Cyble, who published the analysis, “MiningDropper employs a multi-stage payload delivery architecture that combines XOR-based native obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques.”
The framework demonstrates a layered architecture designed to complicate analysis while providing flexibility in final payload delivery. This dual-threat landscape underscores the evolving sophistication of malware targeting cryptocurrency users on mobile platforms.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
