Cybersecurity firm Kaspersky has identified 26 fraudulent cryptocurrency wallet applications on Apple’s App Store. These apps are designed to steal users’ digital assets. The company’s Threat Research team found that the apps imitate popular crypto wallets, such as MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. They copy the names and visual branding to appear legitimate.
Once opened, these applications redirect users to phishing pages. These pages resemble the App Store interface and prompt users to download a second application. That second app is actually a trojanized wallet that can drain cryptocurrency funds.
How The Scam Works
Kaspersky said the campaign has been active since at least fall 2025. With moderate confidence, they linked it to the threat actors behind SparkKitty, a previously identified iOS malware strain. Official versions of many of these wallet apps are not available in the Chinese iOS App Store. Most of the detected phishing apps were distributed specifically to users in China. However, the malicious payload itself does not include regional restrictions. This essentially means that users outside China could also be affected. Kaspersky confirmed it has reported all identified apps to Apple.
According to the findings, the fraudulent apps include basic, unrelated features such as games, calculators, or task managers. These features create an appearance of legitimacy and help the apps pass initial scrutiny. After installation, they guide users through a process that opens a fake App Store webpage. Then, they encourage users to download what appears to be the intended wallet application.
This installation process works similarly to SparkKitty. It uses Apple’s enterprise developer tools for corporate app distribution. Users are prompted to install a developer profile on their device. This allows them to install apps from outside the App Store. Attackers rely on users overlooking this step, which enables the installation of malicious software.
Once installed, the trojanized wallet applications mimic the behavior of the specific wallet they impersonate. They target both hot and cold wallets.
Kaspersky’s mobile malware expert, Sergey Puzan, stated that while the apps themselves may not contain harmful code, they serve as entry points in a broader attack chain. This chain ultimately leads to malware installation. Puzan further warned, “By paying a fee and setting up a developer account, the attackers can target any iOS device if the user succumbs to the phishing tactic. Users should be wary of the risks related to managing their crypto wallets even on devices that they consider safe, such as iPhones. We expect there may be more trojanized crypto apps distributed with a similar tactic.”
Counterfeit Ledger Device
The latest report comes days after a counterfeit Ledger Nano S Plus device was exposed. A Brazilian cybersecurity researcher found the device sold through an online marketplace as part of a sophisticated phishing operation designed to steal crypto wallet credentials. The device was marketed and priced like an official product. It initially appeared genuine but failed verification when connected to Ledger Live.
Upon opening the device, the researcher found internal components that did not match legitimate hardware. This included a chip with its markings removed and additional WiFi and Bluetooth antennas not present in authentic Ledger wallets. Further examination of the firmware revealed that both PIN codes and seed phrases were stored in plaintext. The firmware also contained references to external servers. This indicated that the device was designed to capture and transmit sensitive data.
The researcher acknowledged that this attack does not involve any flaw in Ledger’s security. Instead, it uses fake devices, harmful apps, and phishing tricks to target users.
