A large-scale crypto theft campaign has exposed critical gaps in app marketplace security, with cybersecurity researchers uncovering 26 malicious iOS apps designed to steal cryptocurrency seed phrases and private keys. The apps, collectively dubbed FakeWallet, were discovered on the Apple App Store and had been active since at least late 2025.
According to Kaspersky researcher Sergey Puzan, these apps impersonated widely used crypto wallets such as MetaMask, Trust Wallet, and Coinbase. Once launched, they redirected users to deceptive web pages that mimicked legitimate interfaces, ultimately distributing trojanized wallet versions to harvest sensitive credentials.
Unlike earlier attacks that relied on unofficial distribution methods, this campaign exploited Apple’s ecosystem more directly. The malicious apps were available for download on the App Store—particularly when user accounts were set to China—using near-identical icons and subtly altered names (e.g., “LeddgerNew”) to evade detection. Some apps even disguised themselves as unrelated services like games or utilities, acting as delivery mechanisms for hidden payloads via enterprise provisioning profiles.
The attack methodology reflects a significant evolution. Malware modules were tailored to specific wallets and deployed through techniques such as malicious library injection and modified source code. Once installed, the apps intercepted recovery phrases either by manipulating input screens or by presenting phishing prompts disguised as verification steps. In some cases, optical character recognition (OCR) was used to extract seed phrases directly from user screens.
Researchers believe the operation may be linked to the earlier SparkKitty campaign, citing overlaps in tactics, tooling, and targeting patterns—particularly a focus on cryptocurrency users and indications of Chinese-speaking threat actors. Apple has since removed many of the identified apps, but the campaign underscores how sophisticated actors are increasingly bypassing traditional app review safeguards.
In parallel, a new Android threat called MiningDropper (also known as BeatBanker) has emerged, demonstrating a highly modular malware framework. Identified by Cyble, MiningDropper combines crypto mining, banking trojans, and remote access capabilities into a single delivery architecture.
Distributed through trojanized versions of legitimate apps like Lumolight and propagated via fake banking and transport websites, MiningDropper uses a multi-stage infection chain. It employs advanced techniques such as XOR obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation strategies to evade detection and analysis.
The framework’s modular design allows attackers to reuse the same infrastructure while customizing payloads based on their objectives—ranging from financial fraud to unauthorized crypto mining. Campaigns have been observed targeting users across India, Latin America, Europe, and Asia.
Together, these developments signal a growing convergence of financial malware and platform-level exploitation. As crypto adoption rises, attackers are shifting toward more scalable, stealthy, and platform-integrated approaches—turning trusted ecosystems into high-value attack surfaces.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
