Kaspersky Flags 26 Fake Crypto Wallet Apps That Could Drain Your Funds

These fake iOS apps appear legitimate but redirect users to phishing pages, leading to malware installation and eventual theft of crypto assets.

Cybersecurity firm Kaspersky has identified 26 fraudulent cryptocurrency wallet applications on Apple’s App Store that are designed to steal users’ digital assets.

The company’s Threat Research team found that the apps imitate popular crypto wallets, such as MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie, by copying their names and visual branding to appear legitimate. Once opened, these applications redirect users to phishing pages that resemble the App Store interface and prompt them to download a second application, which is actually a trojanized wallet that can drain cryptocurrency funds.

How The Scam Works

Kaspersky said the campaign has been active since at least fall 2025 and, with “moderate confidence,” linked it to the threat actors behind SparkKitty, a previously identified iOS malware strain. Official versions of many of these wallet apps are not available in the Chinese iOS App Store; most of the detected phishing apps were distributed specifically to users in China, though the malicious payload itself does not include regional restrictions. This essentially means that users outside China could also be affected. Kaspersky confirmed it has reported all identified apps to Apple.

According to the findings, the fraudulent apps include basic, unrelated features such as games, calculators, or task managers to create an appearance of legitimacy and pass initial scrutiny. After installation, they guide users through a process that opens a fake App Store webpage and encourages them to download what appears to be the intended wallet application.

This installation process works similarly to SparkKitty, using Apple’s enterprise developer tools for corporate app distribution. Users are prompted to install a developer profile on their device, which allows them to install apps from outside the App Store. Attackers rely on users overlooking this step, enabling the installation of malicious software.

Once installed, the trojanized wallet applications are designed to mimic the behavior of the specific wallet they impersonate. They target both hot and cold wallets.

Kaspersky’s mobile malware expert, Sergey Puzan, stated that while the apps themselves may not contain harmful code, they serve as entry points in a broader attack chain that ultimately leads to malware installation. The researcher further warned,

You may also like:

“By paying a fee and setting up a developer account, the attackers can target any iOS device if the user succumbs to the phishing tactic. Users should be wary of the risks related to managing their crypto wallets even on devices that they consider safe, such as iPhones. We expect there may be more trojanized crypto apps distributed with a similar tactic.”

Counterfeit Ledger Device

The latest report comes days after a counterfeit Ledger Nano S Plus device sold through an online marketplace was exposed as part of a sophisticated phishing operation designed to steal crypto wallet credentials by a Brazilian cybersecurity researcher. The device, which was marketed and priced like an official product, initially appeared genuine but failed verification when connected to Ledger Live.

Upon opening the device, the researcher found internal components that did not match legitimate hardware, including a chip with its markings removed and additional WiFi and Bluetooth antennas not present in authentic Ledger wallets. Further examination of the firmware revealed that both PIN codes and seed phrases were stored in plaintext, along with references to external servers, indicating that the device was designed to capture and transmit sensitive data.

The researcher acknowledged that this attack does not involve any flaw in Ledger’s security, but instead uses fake devices, harmful apps, and phishing tricks to target users.