{"id":2587,"date":"2026-04-20T09:04:01","date_gmt":"2026-04-20T09:04:01","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/"},"modified":"2026-04-20T09:04:01","modified_gmt":"2026-04-20T09:04:01","slug":"fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/","title":{"rendered":"FakeWallet crypto stealer spreading through iOS apps in the App Store"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/20084942\/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-scaled-1-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<p>In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected apps are specifically engineered to hijack recovery phrases and private keys. Metadata from the malware suggests this campaign has been flying under the radar since at least the fall of 2025.<\/p>\n<p>We\u2019ve seen this happen before. Back in 2022, <a href=\"https:\/\/www.eset.com\/in\/about\/newsroom\/press-releases\/research\/eset-research-discovers-scheme-to-steal-cryptocurrency-from-android-and-iphone-users\/?srsltid=AfmBOopQ63-vphsZP-jHYOGI71QSJici1UV7918OGb2X6dF_AbO-Uzx4\" target=\"_blank\" rel=\"noopener\">ESET researchers<\/a> spotted compromised crypto wallets distributed through phishing sites. By abusing iOS provisioning profiles to install malware, attackers were able to steal recovery phrases from major hot wallets like Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. Fast forward four years, and the same crypto-theft scheme is gaining momentum again, now featuring new malicious modules, updated injection techniques, and distribution through phishing apps in the App Store.<\/p>\n<p>Kaspersky products detect this threat as HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*.<\/p>\n<h2><strong>Technical details<\/strong><\/h2>\n<h3><strong>Background<\/strong><\/h3>\n<p>This past March, we noticed a wave of phishing apps topping the search results in the Chinese App Store, all disguised as popular crypto wallets. Because of regional restrictions, many official crypto wallet apps are currently unavailable to users in China, specifically if they have their Apple ID set to the Chinese region. Scammers are jumping on this opportunity. They\u2019ve launched fake apps using icons that mirror the originals and names with intentional typos \u2013 a tactic known as typosquatting \u2013 to slip past App Store filters and increase their chances of deceiving users.<\/p>\n<div id=\"attachment_119483\" style=\"width: 1565px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155206\/FakeWallet1.png\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" aria-describedby=\"caption-attachment-119483\" class=\"size-full wp-image-119483\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155206\/FakeWallet1.png\" alt='App Store search results for \"Ledger Wallet\" (formerly Ledger Live)' width=\"1555\" height=\"752\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155206\/FakeWallet1.png 1555w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155206\/FakeWallet1-300x145.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155206\/FakeWallet1-1024x495.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155206\/FakeWallet1-768x371.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155206\/FakeWallet1-1536x743.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155206\/FakeWallet1-724x350.png 724w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155206\/FakeWallet1-740x358.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155206\/FakeWallet1-579x280.png 579w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155206\/FakeWallet1-800x387.png 800w\" sizes=\"(max-width: 1555px) 100vw, 1555px\"><\/a><\/p>\n<p id=\"caption-attachment-119483\" class=\"wp-caption-text\">App Store search results for \u201cLedger Wallet\u201d (formerly Ledger Live)<\/p>\n<\/div>\n<p>In some instances, the app names and icons had absolutely nothing to do with cryptocurrency. However, the promotional banners for these apps claimed that the official wallet was \u201cunavailable in the App Store\u201d and directed users to download it through the app instead.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155320\/FakeWallet2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119484\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155320\/FakeWallet2.png\" alt=\"\" width=\"1768\" height=\"634\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155320\/FakeWallet2.png 1768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155320\/FakeWallet2-300x108.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155320\/FakeWallet2-1024x367.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155320\/FakeWallet2-768x275.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155320\/FakeWallet2-1536x551.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155320\/FakeWallet2-976x350.png 976w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155320\/FakeWallet2-740x265.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155320\/FakeWallet2-781x280.png 781w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155320\/FakeWallet2-800x287.png 800w\" sizes=\"auto, (max-width: 1768px) 100vw, 1768px\"><\/a><\/p>\n<div id=\"attachment_119485\" style=\"width: 1004px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155355\/FakeWallet3.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119485\" class=\"size-full wp-image-119485\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155355\/FakeWallet3.png\" alt=\"Promotional screenshots from apps posing as the official TokenPocket app\" width=\"994\" height=\"575\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155355\/FakeWallet3.png 994w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155355\/FakeWallet3-300x174.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155355\/FakeWallet3-768x444.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155355\/FakeWallet3-605x350.png 605w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155355\/FakeWallet3-740x428.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155355\/FakeWallet3-484x280.png 484w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155355\/FakeWallet3-800x463.png 800w\" sizes=\"auto, (max-width: 994px) 100vw, 994px\"><\/a><\/p>\n<p id=\"caption-attachment-119485\" class=\"wp-caption-text\">Promotional screenshots from apps posing as the official TokenPocket app<\/p>\n<\/div>\n<p>During our investigation, we identified 26 phishing apps in the App Store mimicking the following major wallets:<\/p>\n<ul>\n<li>MetaMask<\/li>\n<li>Ledger<\/li>\n<li>Trust Wallet<\/li>\n<li>Coinbase<\/li>\n<li>TokenPocket<\/li>\n<li>imToken<\/li>\n<li>Bitpie<\/li>\n<\/ul>\n<p>We\u2019ve reported all of these findings to Apple, and several of the malicious apps have already been pulled from the store.<\/p>\n<p>We also identified several similar apps that didn\u2019t have any phishing functionality yet, but showed every sign of being linked to the same threat actors. It\u2019s highly likely that the malicious features were simply waiting to be toggled on in a future update.<\/p>\n<p>The phishing apps featured stubs \u2013 functional placeholders that mimicked a legitimate service \u2013 designed to make the app appear authentic.\u00a0 The stub could be a game, a calculator, or a task planner.<\/p>\n<p>However, once you launched the app, it would open a malicious link in your browser. This link kicks off a scheme leveraging provisioning profiles to install infected versions of crypto wallets onto the victim\u2019s device. This technique isn\u2019t exclusive to FakeWallet; other iOS threats, like <a href=\"https:\/\/securelist.com\/sparkkitty-ios-android-malware\/116793\/\" target=\"_blank\" rel=\"noopener\">SparkKitty<\/a>, use similar methods. These profiles come in a few flavors, one of them being enterprise provisioning profiles. Apple designed these so companies could create and deploy internal apps to employees without going through the App Store or hitting device limits. Enterprise provisioning profiles are a favorite tool for makers of software cracks, cheats, online casinos, pirated mods of popular apps, and malware.<\/p>\n<div id=\"attachment_119486\" style=\"width: 681px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155538\/FakeWallet4.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119486\" class=\"size-full wp-image-119486\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155538\/FakeWallet4.png\" alt=\"An infected wallet and its corresponding profile used for the installation process\" width=\"671\" height=\"1454\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155538\/FakeWallet4.png 671w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155538\/FakeWallet4-138x300.png 138w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155538\/FakeWallet4-473x1024.png 473w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155538\/FakeWallet4-162x350.png 162w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155538\/FakeWallet4-461x1000.png 461w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155538\/FakeWallet4-129x280.png 129w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19155538\/FakeWallet4-415x900.png 415w\" sizes=\"auto, (max-width: 671px) 100vw, 671px\"><\/a><\/p>\n<p id=\"caption-attachment-119486\" class=\"wp-caption-text\">An infected wallet and its corresponding profile used for the installation process<\/p>\n<\/div>\n<h3><strong>Malicious modules for hot wallets<\/strong><\/h3>\n<p>The attackers have churned out a wide variety of malicious modules, each tailored to a specific wallet. In most cases, the malware is delivered via a malicious library injection, though we\u2019ve also come across builds where the app\u2019s original source code was modified.<\/p>\n<p>To embed the malicious library, the hackers injected load commands into the main executable. This is a standard trick to expand an app\u2019s functionality without a rebuild. Once the library is loaded, the dyld linker triggers initialization functions, if present in the library. We\u2019ve seen this implemented in different ways: sometimes by adding a load method to specific Objective-C classes, and other times through standard C++ functions.<\/p>\n<p>The logic remains the same across all initialization functions: the app loads or initializes its configuration, if available, and then swaps out legitimate class methods for malicious versions. For instance, we found a malicious library named libokexHook.dylib embedded in a modified version of the Coinbase app. It hijacks the original viewDidLoad method within the RecoveryPhraseViewController class, the part of the code responsible for the screen where the user enters their recovery phrase.<\/p>\n<div id=\"attachment_119487\" style=\"width: 1218px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160008\/FakeWallet6.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119487\" class=\"size-full wp-image-119487\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160008\/FakeWallet6.png\" alt=\"A code snippet where a malicious initialization function hijacks the original viewDidLoad method of the class responsible for the recovery phrase screen\" width=\"1208\" height=\"538\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160008\/FakeWallet6.png 1208w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160008\/FakeWallet6-300x134.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160008\/FakeWallet6-1024x456.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160008\/FakeWallet6-768x342.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160008\/FakeWallet6-786x350.png 786w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160008\/FakeWallet6-740x330.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160008\/FakeWallet6-629x280.png 629w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160008\/FakeWallet6-800x356.png 800w\" sizes=\"auto, (max-width: 1208px) 100vw, 1208px\"><\/a><\/p>\n<p id=\"caption-attachment-119487\" class=\"wp-caption-text\">A code snippet where a malicious initialization function hijacks the original viewDidLoad method of the class responsible for the recovery phrase screen<\/p>\n<\/div>\n<p>The compromised viewDidLoad method works by scanning the screen in the current view controller (the object managing that specific app screen) to hunt for mnemonics \u2013 the individual words that make up the seed phrase. Once it finds them, it extracts the data, encrypts it, and beams it back to a C2 server. All these malicious modules follow a specific process to exfiltrate data:<\/p>\n<ul>\n<li>The extracted mnemonics are stringed together.<\/li>\n<li>This string is encrypted using RSA with the PKCS #1 scheme.<\/li>\n<li>The encrypted data is then encoded into Base64.<\/li>\n<li>Finally, the encoded string \u2013 along with metadata like the malicious module type, the app name, and a unique identification code \u2013 is sent to the attackers\u2019 server.<\/li>\n<\/ul>\n<div id=\"attachment_119488\" style=\"width: 1130px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160058\/FakeWallet7.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119488\" class=\"size-full wp-image-119488\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160058\/FakeWallet7.png\" alt=\"The malicious viewDidLoad method at work, scraping seed phrase words from individual subviews \" width=\"1120\" height=\"635\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160058\/FakeWallet7.png 1120w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160058\/FakeWallet7-300x170.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160058\/FakeWallet7-1024x581.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160058\/FakeWallet7-768x435.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160058\/FakeWallet7-617x350.png 617w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160058\/FakeWallet7-740x420.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160058\/FakeWallet7-494x280.png 494w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160058\/FakeWallet7-800x454.png 800w\" sizes=\"auto, (max-width: 1120px) 100vw, 1120px\"><\/a><\/p>\n<p id=\"caption-attachment-119488\" class=\"wp-caption-text\">The malicious viewDidLoad method at work, scraping seed phrase words from individual subviews<\/p>\n<\/div>\n<p>In this specific variant, the C2 server address is hardcoded directly into the executable. However, in other versions we\u2019ve analyzed, the Trojan pulls the address from a configuration file tucked away in the app folder.<\/p>\n<p>The POST request used to exfiltrate those encrypted mnemonics looks like this:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">POST &lt;c2_domain&gt;\/api\/open\/postByTokenPocket?ciyu=&lt;base64_encoded_encrypted_mnemonics&gt;&amp;code=10001&amp;ciyuType=1&amp;wallet=ledger<\/pre>\n<p>The version of the malicious module targeting Trust Wallet stands out from the rest. It skips the initialization functions entirely. Instead, the attackers injected a custom executable section, labeled __hook, directly into the main executable. They placed it right before the __text section, specifically in the memory region usually reserved for load commands in the program header. The first two functions in this section act as trampolines to the dlsym function and the mnemonic validation method within the original WalletCore class. These are followed by two wrapper functions designed to:<\/p>\n<ul>\n<li>Resolve symbols dataInit or processX0Parameter from the malicious library<\/li>\n<li>Hand over control to these newly discovered functions<\/li>\n<li>Execute the code for the original methods that the wrapper was built to replace<\/li>\n<\/ul>\n<div id=\"attachment_119489\" style=\"width: 1410px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160226\/FakeWallet8.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119489\" class=\"size-full wp-image-119489\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160226\/FakeWallet8.png\" alt=\"The content of the embedded __hook section, showing the trampolines and wrapper functions\" width=\"1400\" height=\"850\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160226\/FakeWallet8.png 1400w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160226\/FakeWallet8-300x182.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160226\/FakeWallet8-1024x622.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160226\/FakeWallet8-768x466.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160226\/FakeWallet8-330x200.png 330w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160226\/FakeWallet8-576x350.png 576w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160226\/FakeWallet8-740x449.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160226\/FakeWallet8-461x280.png 461w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160226\/FakeWallet8-800x486.png 800w\" sizes=\"auto, (max-width: 1400px) 100vw, 1400px\"><\/a><\/p>\n<p id=\"caption-attachment-119489\" class=\"wp-caption-text\">The content of the embedded __hook section, showing the trampolines and wrapper functions<\/p>\n<\/div>\n<p>These wrappers effectively hijack the methods the app calls whenever a user tries to restore a wallet using a seed phrase or create a new one. By following the same playbook described earlier, the Trojan scrapes the mnemonics directly from the corresponding screens, encrypts them, and beams them back to the C2 server.<\/p>\n<h3><strong>The Ledger wallet malicious module<\/strong><\/h3>\n<p>The modules we\u2019ve discussed so far were designed to rip recovery phrases from hot wallets\u00a0\u2013 apps that store and use private keys directly on the device where they are installed. Cold wallets are a different beast: the keys stay on a separate, offline device, and the app is just a user interface with no direct access to them. To get their hands on those assets, the attackers fall back on old-school phishing.<\/p>\n<p>We found two versions of the Ledger implant, one using a malicious library injection and another where the app\u2019s source code itself was tampered with. In the library version, the malware sneaks in through standard entry points:\u00a0 two Objective-C initialization functions (<code>+[UIViewController load]<\/code> and <code>+[UIView load]<\/code>) and a function named entry located in the <code>__mod_init_functions section<\/code>. Once the malicious library is loaded into the app\u2019s memory, it goes to work:<\/p>\n<ul>\n<li>The entry function loads a configuration file from the app directory, generates a user UUID, and attempts to send it to the server specified by the <code>login-url<\/code> The config file looks like this:\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">{\r\n\t\"url\": \"hxxps:\/\/iosfc[.]com\/ledger\/ios\/Rsakeycatch.php\", \/\/ C2 for mnemonics\r\n\t\"code\": \"10001\",                                         \/\/ special code\t\"login-url\": \"hxxps:\/\/xxx[.]com\",                                              \r\n\t\"login-code\": \"88761\"                                                               \r\n}<\/pre>\n<\/li>\n<li>Two other initialization functions, <code>+[UIViewController load]<\/code> and <code>+[UIView load]<\/code>, replace certain methods of the original app classes with their malicious payload.<\/li>\n<li>As soon as the root screen is rendered, the malware traverses the view controller hierarchy and searches for a child screen named <code>add-account-cta<\/code> or one containing a $ sign:\n<ul>\n<li>If it is the <code>add-account-cta<\/code> screen, the Trojan identifies the button responsible for adding a new account and matches its text to a specific language. The Trojan uses this to determine the app\u2019s locale so it can later display a phishing alert in the appropriate language. It then prepares a phishing notification whose content will require the user to pass a \u201csecurity check\u201d, and stores it in an object of <code>GlobalVariables<\/code><\/li>\n<li>If it\u2019s a screen with a $ sign in its name, the malware scans its content using a regular expression to extract the wallet balance and attempt to send this balance information to a harmless domain specified in the configuration as <code>login-url<\/code>. We assume this is outdated testing functionality left in the code by mistake, as the specified domain is unrelated to the malware.<\/li>\n<\/ul>\n<\/li>\n<li>Then, when any screen is rendered, one of the malicious handlers checks its name. If it is the screen responsible for adding an account or buying\/selling cryptocurrency, the malware displays the phishing notification prepared earlier. Clicking on this notification opens a WebView window, where the local HTML file html serves as the page to display.<\/li>\n<\/ul>\n<p>The <code>verify.html<\/code> phishing page prompts the user to enter their mnemonics. The malware then checks the seed phrase entered by the user against the BIP-39 dictionary, a standard that uses 2048 mnemonic words to generate seed phrases. Additionally, to lower the victim\u2019s guard, the phishing page is designed to match the app\u2019s style and even supports autocomplete for mnemonics to project quality. The seed phrase is passed to an Objective-C handler, which merges it into a single string, encrypts it using RSA with the PKCS #1 scheme, and sends it to the C2 server along with additional data \u2013 such as the malicious module type, app name, and a specific config code \u2013 via an HTTP POST request to the <code>\/ledger\/ios\/Rsakeycatch.php<\/code> endpoint.<\/p>\n<div id=\"attachment_119490\" style=\"width: 961px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160757\/FakeWallet9.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119490\" class=\"size-full wp-image-119490\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160757\/FakeWallet9.png\" alt=\"The Objective-C handler responsible for exfiltrating mnemonics\" width=\"951\" height=\"819\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160757\/FakeWallet9.png 951w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160757\/FakeWallet9-300x258.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160757\/FakeWallet9-768x661.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160757\/FakeWallet9-406x350.png 406w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160757\/FakeWallet9-740x637.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160757\/FakeWallet9-325x280.png 325w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160757\/FakeWallet9-800x689.png 800w\" sizes=\"auto, (max-width: 951px) 100vw, 951px\"><\/a><\/p>\n<p id=\"caption-attachment-119490\" class=\"wp-caption-text\">The Objective-C handler responsible for exfiltrating mnemonics<\/p>\n<\/div>\n<p>The second version of the infected Ledger wallet involves changes made directly to the main code of the app written in React Native. This approach eliminates the need for platform-specific libraries and allows attackers to run the same malicious module across different platforms. Since the Ledger Live source code is publicly available, injecting malicious code into it is a straightforward task for the attackers.<br \/>\nThe infected build includes two malicious screens:<\/p>\n<ul>\n<li><code>MnemonicVerifyScreen<\/code>, embedded in <code>PortfolioNavigator<\/code><\/li>\n<li><code>PrivateKeyVerifyScreen<\/code>, embedded in <code>MyLedgerNavigator<\/code><\/li>\n<\/ul>\n<p>In the React Native ecosystem, navigators handle switching between different screens. In this case, these specific navigators are triggered when the Portfolio or Device List screens are opened. In the original app, these screens remain inaccessible until the user pairs their cold wallet with the application. This same logic is preserved in the infected version, effectively serving as an anti-debugging technique: the phishing window only appears during a realistic usage scenario.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160926\/FakeWallet10.jpg\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119491\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160926\/FakeWallet10.jpg\" alt=\"\" width=\"591\" height=\"1280\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160926\/FakeWallet10.jpg 591w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160926\/FakeWallet10-139x300.jpg 139w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160926\/FakeWallet10-473x1024.jpg 473w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160926\/FakeWallet10-162x350.jpg 162w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160926\/FakeWallet10-462x1000.jpg 462w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160926\/FakeWallet10-129x280.jpg 129w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160926\/FakeWallet10-416x900.jpg 416w\" sizes=\"auto, (max-width: 591px) 100vw, 591px\"><\/a><\/p>\n<div id=\"attachment_119492\" style=\"width: 601px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160953\/FakeWallet11.jpg\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119492\" class=\"size-full wp-image-119492\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160953\/FakeWallet11.jpg\" alt=\"Phishing window for seed phrase verification\" width=\"591\" height=\"1280\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160953\/FakeWallet11.jpg 591w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160953\/FakeWallet11-139x300.jpg 139w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160953\/FakeWallet11-473x1024.jpg 473w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160953\/FakeWallet11-162x350.jpg 162w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160953\/FakeWallet11-462x1000.jpg 462w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160953\/FakeWallet11-129x280.jpg 129w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19160953\/FakeWallet11-416x900.jpg 416w\" sizes=\"auto, (max-width: 591px) 100vw, 591px\"><\/a><\/p>\n<p id=\"caption-attachment-119492\" class=\"wp-caption-text\">Phishing window for seed phrase verification<\/p>\n<\/div>\n<p>The <code>MnemonicVerifyScreen<\/code> appears whenever either of those navigators is activated \u2013 whether the user is checking their portfolio or viewing info about a paired device. The <code>PrivateKeyVerifyScreen<\/code> remains unused \u2013 it is designed to handle a private key rather than a mnemonic, specifically the key generated by the wallet based on the entered seed phrase. Since Ledger Live doesn\u2019t give users direct access to private keys or support them for importing wallets, we suspect this specific feature was actually intended for a different app.<\/p>\n<div id=\"attachment_119493\" style=\"width: 734px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161125\/FakeWallet12.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119493\" class=\"size-full wp-image-119493\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161125\/FakeWallet12.png\" alt=\"Decompiled pseudocode of an anonymous malicious function setting up the configuration during app startup\" width=\"724\" height=\"939\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161125\/FakeWallet12.png 724w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161125\/FakeWallet12-231x300.png 231w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161125\/FakeWallet12-270x350.png 270w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161125\/FakeWallet12-216x280.png 216w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161125\/FakeWallet12-694x900.png 694w\" sizes=\"auto, (max-width: 724px) 100vw, 724px\"><\/a><\/p>\n<p id=\"caption-attachment-119493\" class=\"wp-caption-text\">Decompiled pseudocode of an anonymous malicious function setting up the configuration during app startup<\/p>\n<\/div>\n<p>Once a victim enters their recovery phrase on the phishing page and hits Confirm, the Trojan creates a separate thread to handle the data exfiltration. It tracks the progress of the transfer by creating three files in the app\u2019s working directory:<\/p>\n<ul>\n<li><code>verify-wallet-status.json<\/code> tracks the current status and the timestamp of the last update.<\/li>\n<li><code>verify-wallet-config.json<\/code> stores the C2 server configuration the malware is currently using.<\/li>\n<li><code>verify-wallet-pending.json<\/code> holds encrypted mnemonics until they\u2019re successfully transmitted to the C2 server. Then the <code>clearPendingMnemonicJob<\/code> function replaces the contents of the file with an empty JSON dictionary.<\/li>\n<\/ul>\n<p>Next, the Trojan encrypts the captured mnemonics and sends the resulting value to the C2 server. The data is encrypted using the same algorithm described earlier (RSA encryption followed by Base64 encoding). If the app is closed or minimized, the Trojan checks the status of the previous exfiltration attempt upon restart and resumes the process if it hasn\u2019t been completed.<\/p>\n<div id=\"attachment_119494\" style=\"width: 808px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161303\/FakeWallet13.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119494\" class=\"size-full wp-image-119494\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161303\/FakeWallet13.png\" alt=\"Decompiled pseudocode for the submitWalletSecret function\" width=\"798\" height=\"673\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161303\/FakeWallet13.png 798w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161303\/FakeWallet13-300x253.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161303\/FakeWallet13-768x648.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161303\/FakeWallet13-415x350.png 415w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161303\/FakeWallet13-740x624.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161303\/FakeWallet13-332x280.png 332w\" sizes=\"auto, (max-width: 798px) 100vw, 798px\"><\/a><\/p>\n<p id=\"caption-attachment-119494\" class=\"wp-caption-text\">Decompiled pseudocode for the submitWalletSecret function<\/p>\n<\/div>\n<h3><strong>Other distribution channels, platforms, and the SparkKitty link<\/strong><\/h3>\n<p>During our investigation, we discovered a website mimicking the official Ledger site that hosted links to the same infected apps described above. While we\u2019ve only observed one such example, we\u2019re certain that other similar phishing pages exist across the web.<\/p>\n<div id=\"attachment_119495\" style=\"width: 2063px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161351\/FakeWallet14.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119495\" class=\"size-full wp-image-119495\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161351\/FakeWallet14.png\" alt=\"A phishing website hosting links to infected Ledger apps for both iOS and Android\" width=\"2053\" height=\"823\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161351\/FakeWallet14.png 2053w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161351\/FakeWallet14-300x120.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161351\/FakeWallet14-1024x410.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161351\/FakeWallet14-768x308.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161351\/FakeWallet14-1536x616.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161351\/FakeWallet14-2048x821.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161351\/FakeWallet14-873x350.png 873w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161351\/FakeWallet14-740x297.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161351\/FakeWallet14-698x280.png 698w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/19161351\/FakeWallet14-800x321.png 800w\" sizes=\"auto, (max-width: 2053px) 100vw, 2053px\"><\/a><\/p>\n<p id=\"caption-attachment-119495\" class=\"wp-caption-text\">A phishing website hosting links to infected Ledger apps for both iOS and Android<\/p>\n<\/div>\n<p>We also identified several compromised versions of wallet apps for Android, including both previously undiscovered samples and known ones. These instances were distributed through the same malicious pages; however, we found no traces of them in the Google Play Store.<\/p>\n<p>One additional detail: some of the infected apps also contained a SparkKitty module. Interestingly, these modules didn\u2019t show any malicious activity on their own, with mnemonics handled exclusively by the FakeWallet modules. We suspect SparkKitty might be present for one of two reasons: either the authors of both malicious campaigns are linked and forgot to remove it, or it was embedded by different attackers and is currently inactive.<\/p>\n<h2><strong>Victims<\/strong><\/h2>\n<p>Since nearly all the phishing apps were exclusive to the Chinese App Store, and the infected wallets themselves were distributed through Chinese-language phishing pages, we can conclude that this campaign primarily targets users in China. However, the malicious modules themselves have no built-in regional restrictions. Furthermore, since the phishing notifications in some variants automatically adapt to the app\u2019s language, users outside of China could easily find themselves in the crosshairs of these attackers.<\/p>\n<h2><strong>Attribution<\/strong><\/h2>\n<p>According to our data, the threat actor behind this campaign may be linked to the creators of the SparkKitty Trojan. Several details uncovered during our research point to this connection:<\/p>\n<ul>\n<li>Some infected apps contained SparkKitty modules alongside the FakeWallet code.<\/li>\n<li>The attackers behind both campaigns appear to be native Chinese speakers, as the malicious modules frequently use log messages in Chinese.<\/li>\n<li>Both campaigns distribute infected apps via phishing pages that mimic the official App Store.<\/li>\n<li>Both campaigns specifically target victims\u2019 cryptocurrency assets.<\/li>\n<\/ul>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>Our research shows that the FakeWallet campaign is gaining momentum by employing new tactics, ranging from delivering payloads via phishing apps published in the App Store to embedding themselves into cold wallet apps and using sophisticated phishing notifications to trick users into revealing their mnemonics. The fact that these phishing apps bypass initial filters to appear at the top of App Store search results can significantly lower a user\u2019s guard. While the campaign is not exceptionally complex from a technical standpoint, it poses serious risks to users for several reasons:<\/p>\n<ul>\n<li><strong>Hot wallet attacks<\/strong>: the malware can steal crypto assets during the wallet creation or import phase without any additional user interaction.<\/li>\n<li><strong>Cold wallet attacks<\/strong>: attackers go to great lengths to make their phishing windows look legitimate, even implementing mnemonic autocomplete to mirror the real user experience and increase their chances of a successful theft.<\/li>\n<li><strong>Investigation challenges<\/strong>: the technical restrictions imposed by iOS and the broader Apple ecosystem make it difficult to effectively detect and analyze malicious software directly on a device.<\/li>\n<\/ul>\n<h2><strong>Indicators of compromise<\/strong><\/h2>\n<p><strong>Infected cryptowallet IPA file hashes<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/4126348d783393dd85ede3468e48405d?icid=kl-en_sl_post-opentip_sm-team_1eac9e465931eb04&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">4126348d783393dd85ede3468e48405d<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/b639f7f81a8faca9c62fd227fef5e28c?icid=kl-en_sl_post-opentip_sm-team_639dc4eaf8cda120&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">b639f7f81a8faca9c62fd227fef5e28c<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d48b580718b0e1617afc1dec028e9059?icid=kl-en_sl_post-opentip_sm-team_b580718b0e1617af&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">d48b580718b0e1617afc1dec028e9059<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/bafba3d044a4f674fc9edc67ef6b8a6b?icid=kl-en_sl_post-opentip_sm-team_ba3d044a4f674fc9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">bafba3d044a4f674fc9edc67ef6b8a6b<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/79fe383f0963ae741193989c12aefacc?icid=kl-en_sl_post-opentip_sm-team_e383f0963ae74119&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">79fe383f0963ae741193989c12aefacc<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/8d45a67b648d2cb46292ff5041a5dd44?icid=kl-en_sl_post-opentip_sm-team_45a67b648d2cb462&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">8d45a67b648d2cb46292ff5041a5dd44<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7e678ca2f01dc853e85d13924e6c8a45?icid=kl-en_sl_post-opentip_sm-team_678ca2f01dc853e8&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">7e678ca2f01dc853e85d13924e6c8a45<\/a><\/p>\n<p><strong>Malicious dylib file hashes<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/be9e0d516f59ae57f5553bcc3cf296d1?icid=kl-en_sl_post-opentip_sm-team_9e0d516f59ae57f5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">be9e0d516f59ae57f5553bcc3cf296d1<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/fd0dc5d4bba740c7b4cc78c4b19a5840?icid=kl-en_sl_post-opentip_sm-team_0dc5d4bba740c7b4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">fd0dc5d4bba740c7b4cc78c4b19a5840<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7b4c61ff418f6fe80cf8adb474278311?icid=kl-en_sl_post-opentip_sm-team_4c61ff418f6fe80c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">7b4c61ff418f6fe80cf8adb474278311<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/8cbd34393d1d54a90be3c2b53d8fc17a?icid=kl-en_sl_post-opentip_sm-team_bd34393d1d54a90b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">8cbd34393d1d54a90be3c2b53d8fc17a<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d138a63436b4dd8c5a55d184e025ef99?icid=kl-en_sl_post-opentip_sm-team_38a63436b4dd8c5a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">d138a63436b4dd8c5a55d184e025ef99<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5bdae6cb778d002c806bb7ed130985f3?icid=kl-en_sl_post-opentip_sm-team_dae6cb778d002c80&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">5bdae6cb778d002c806bb7ed130985f3<\/a><\/p>\n<p><strong>Malicious React Native application hash<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/84c81a5e49291fe60eb9f5c1e2ac184b?icid=kl-en_sl_post-opentip_sm-team_c81a5e49291fe60e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">84c81a5e49291fe60eb9f5c1e2ac184b<\/a><\/p>\n<p><strong>Phishing HTML for infected Ledger Live app file hash<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/19733e0dfa804e3676f97eff90f2e467?icid=kl-en_sl_post-opentip_sm-team_733e0dfa804e3676&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">19733e0dfa804e3676f97eff90f2e467<\/a><\/p>\n<p><strong>Malicious Android file hashes<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/8f51f82393c6467f9392fb9eb46f9301?icid=kl-en_sl_post-opentip_sm-team_51f82393c6467f93&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">8f51f82393c6467f9392fb9eb46f9301<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/114721fbc23ff9d188535bd736a0d30e?icid=kl-en_sl_post-opentip_sm-team_4721fbc23ff9d188&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">114721fbc23ff9d188535bd736a0d30e<\/a><\/p>\n<p><strong>Malicious download links<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fwww.gxzhrc%5B.%5Dcn%2Fdownload%2F?icid=kl-en_sl_post-opentip_sm-team_gxzhrcdownload&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/www.gxzhrc[.]cn\/download\/<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fappstoreios%5B.%5Dcom%2FDjZH%3Fkey%3D646556306F6Q465O313L737N3332939Y353I830F31?icid=kl-en_sl_post-opentip_sm-team_appstoreiosdjzh&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/appstoreios[.]com\/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fcrypto-stroe%5B.%5Dcc%2F?icid=kl-en_sl_post-opentip_sm-team_cryptostroecc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/crypto-stroe[.]cc\/<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fyjzhengruol%5B.%5Dcom%2Fs%2F3f605f?icid=kl-en_sl_post-opentip_sm-team_yjzhengruol3f605f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/yjzhengruol[.]com\/s\/3f605f<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2F6688cf.jhxrpbgq%5B.%5Dcom%2F6axqkwuq?icid=kl-en_sl_post-opentip_sm-team_6688cfjhxrpbgq&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/6688cf.jhxrpbgq[.]com\/6axqkwuq<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2F139.180.139%5B.%5D209%2Fprod-api%2Fsystem%2FconfData%2FgetUserConfByKey%2F?icid=kl-en_sl_post-opentip_sm-team_139180139209&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/139.180.139[.]209\/prod-api\/system\/confData\/getUserConfByKey\/<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fxz.apps-store%5B.%5Dim%2Fs%2FiuXt%3Fkey%3D646Y563Y6F6H465J313X737U333S9342323N030R34%26c%3D?icid=kl-en_sl_post-opentip_sm-team_xzappsstoreiuxt&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/xz.apps-store[.]im\/s\/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&amp;c=<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fxz.apps-store%5B.%5Dim%2FDjZH%3Fkey%3D646B563L6F6N4657313B737U3436335E3833331737?icid=kl-en_sl_post-opentip_sm-team_xzappsstoredjzh2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/xz.apps-store[.]im\/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fxz.apps-store%5B.%5Dim%2Fs%2FdDan%3Fkey%3D646756376F6A465D313L737J333993473233038L39%26c%3D?icid=kl-en_sl_post-opentip_sm-team_xzappsstoreddan&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/xz.apps-store[.]im\/s\/dDan?key=646756376F6A465D313L737J333993473233038L39&amp;c=<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fxz.apps-store%5B.%5Dim%2FCqDq%3Fkey%3D646R563V6F6Y465K313J737G343C3352383R336O35?icid=kl-en_sl_post-opentip_sm-team_xzappsstorecqdq&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/xz.apps-store[.]im\/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fntm0mdkzymy3n.oukwww%5B.%5Dcom%2F7nhn7jvv5YieDe7P%3F0e7b9c78e%3D686989d97cf0d70346cbde2031207cbf?icid=kl-en_sl_post-opentip_sm-team_ntm0mdkzymyoukwww1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/ntm0mdkzymy3n.oukwww[.]com\/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fntm0mdkzymy3n.oukwww%5B.%5Dcom%2FjFms03nKTf7RIZN8%3F61f68b07f8%3D0565364633b5acdd24a498a6a9ab4eca?icid=kl-en_sl_post-opentip_sm-team_ntm0mdkzymyoukwww2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/ntm0mdkzymy3n.oukwww[.]com\/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fnziwytu5n.lahuafa%5B.%5Dcom%2F10RsW%2Fmw2ZmvXKUEbzI0n?icid=kl-en_sl_post-opentip_sm-team_nziwytu5nlahuafa&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/nziwytu5n.lahuafa[.]com\/10RsW\/mw2ZmvXKUEbzI0n<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fzdrhnmjjndu.ulbcl%5B.%5Dcom%2F7uchSEp6DIEAqux%3Fa3f65e%3D417ae7f384c49de8c672aec86d5a2860?icid=kl-en_sl_post-opentip_sm-team_zdrhnmjjndulbcl1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/zdrhnmjjndu.ulbcl[.]com\/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fzdrhnmjjndu.ulbcl%5B.%5Dcom%2FtWe0ASmXJbDz3KGh%3F4a1bbe6d%3D31d25ddf2697b9e13ee883fff328b22f?icid=kl-en_sl_post-opentip_sm-team_zdrhnmjjndulbcl2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/zdrhnmjjndu.ulbcl[.]com\/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fapi.npoint%5B.%5Dio%2F153b165a59f8f7d7b097?icid=kl-en_sl_post-opentip_sm-team_apinpoint&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/api.npoint[.]io\/153b165a59f8f7d7b097<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fmti4ywy4.lahuafa%5B.%5Dcom%2FUVB2U%2Fmw2ZmvXKUEbzI0n?icid=kl-en_sl_post-opentip_sm-team_mti4ywy4lahuafa&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/mti4ywy4.lahuafa[.]com\/UVB2U\/mw2ZmvXKUEbzI0n<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fmtjln.siyangoil%5B.%5Dcom%2F08dT284P%2F1ZMz5Xmb0EoQZVvS5?icid=kl-en_sl_post-opentip_sm-team_mtjlnsiyangoil&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/mtjln.siyangoil[.]com\/08dT284P\/1ZMz5Xmb0EoQZVvS5<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fodm0.siyangoil%5B.%5Dcom%2FTYTmtV8t%2FJG6T5nvM1AYqAcN?icid=kl-en_sl_post-opentip_sm-team_odm0siyangoil&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/odm0.siyangoil[.]com\/TYTmtV8t\/JG6T5nvM1AYqAcN<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fmgi1y.siyangoil%5B.%5Dcom%2FvmzLvi4Dh%2F1Dd0m4BmAuhVVCbzF?icid=kl-en_sl_post-opentip_sm-team_mgi1ysiyangoil&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/mgi1y.siyangoil[.]com\/vmzLvi4Dh\/1Dd0m4BmAuhVVCbzF<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fmziyytm5ytk.ahroar%5B.%5Dcom%2FkAN2pIEaariFb8Yc?icid=kl-en_sl_post-opentip_sm-team_mziyytm5ytkahroar&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/mziyytm5ytk.ahroar[.]com\/kAN2pIEaariFb8Yc<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fngy2yjq0otlj.ahroar%5B.%5Dcom%2FEpCXMKDMx1roYGJ?icid=kl-en_sl_post-opentip_sm-team_ngy2yjq0otljahroar1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/ngy2yjq0otlj.ahroar[.]com\/EpCXMKDMx1roYGJ<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fngy2yjq0otlj.ahroar%5B.%5Dcom%2F17pIWJfr9DBiXYrSb?icid=kl-en_sl_post-opentip_sm-team_ngy2yjq0otljahroar2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/ngy2yjq0otlj.ahroar[.]com\/17pIWJfr9DBiXYrSb<\/a><\/p>\n<p><strong>C2 addresses<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fkkkhhhnnn%5B.%5Dcom%2Fapi%2Fopen%2FpostByTokenpocket?icid=kl-en_sl_post-opentip_sm-team_kkkhhhnnn&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/kkkhhhnnn[.]com\/api\/open\/postByTokenpocket<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fhelllo2025%5B.%5Dcom%2Fapi%2Fopen%2FpostByTokenpocket?icid=kl-en_sl_post-opentip_sm-team_helllo2025&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/helllo2025[.]com\/api\/open\/postByTokenpocket<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fsxsfcc%5B.%5Dcom%2Fapi%2Fopen%2FpostByTokenpocket?icid=kl-en_sl_post-opentip_sm-team_sxsfcc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/sxsfcc[.]com\/api\/open\/postByTokenpocket<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fiosfc%5B.%5Dcom%2Fledger%2Fios%2FRsakeycatch.php?icid=kl-en_sl_post-opentip_sm-team_iosfc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/iosfc[.]com\/ledger\/ios\/Rsakeycatch.php<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fnmu8n%5B.%5Dcom%2Ftpocket%2Fios%2FRsakeyword.php?icid=kl-en_sl_post-opentip_sm-team_nmu8n&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/nmu8n[.]com\/tpocket\/ios\/Rsakeyword.php<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fzmx6f%5B.%5Dcom%2Fbtp%2Fios%2FreceiRsakeyword.php?icid=kl-en_sl_post-opentip_sm-team_zmx6f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/zmx6f[.]com\/btp\/ios\/receiRsakeyword.php<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/hxxps%3A%2F%2Fapi.dc1637%5B.%5Dxyz?icid=kl-en_sl_post-opentip_sm-team_apidc1637&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">hxxps:\/\/api.dc1637[.]xyz<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected apps are specifically engineered to hijack recovery phrases and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[1031,836,1038,378,1033,90,1032,1037,552,740,744,1034,670,1036,1035],"tags":[91],"class_list":["post-2587","post","type-post","status-publish","format-standard","hentry","category-app-store","category-apple","category-bitpie","category-coinbase","category-crypto-stealer","category-cybersecurity","category-fakewallet","category-imtoken","category-ios","category-ledger","category-malware-reports","category-metamask","category-mobile-threats","category-tokenpocket","category-trust-wallet","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>FakeWallet crypto stealer spreading through iOS apps in the App Store - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"FakeWallet crypto stealer spreading through iOS apps in the App Store - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected apps are specifically engineered to hijack recovery phrases and [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-20T09:04:01+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/20084942\/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-scaled-1-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"FakeWallet crypto stealer spreading through iOS apps in the App Store\",\"datePublished\":\"2026-04-20T09:04:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/\"},\"wordCount\":3070,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/20084942\/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-scaled-1-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"App Store\",\"Apple\",\"Bitpie\",\"Coinbase\",\"crypto stealer\",\"Cybersecurity\",\"FakeWallet\",\"imToken\",\"iOS\",\"Ledger\",\"Malware reports\",\"MetaMask\",\"Mobile threats\",\"TokenPocket\",\"Trust Wallet\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/\",\"name\":\"FakeWallet crypto stealer spreading through iOS apps in the App Store - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/20084942\/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-scaled-1-990x400.jpg\",\"datePublished\":\"2026-04-20T09:04:01+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/20084942\/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-scaled-1-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/20084942\/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-scaled-1-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"FakeWallet crypto stealer spreading through iOS apps in the App Store\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"FakeWallet crypto stealer spreading through iOS apps in the App Store - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/","og_locale":"en_US","og_type":"article","og_title":"FakeWallet crypto stealer spreading through iOS apps in the App Store - Imperative Business Ventures Limited","og_description":"In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected apps are specifically engineered to hijack recovery phrases and [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-04-20T09:04:01+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/20084942\/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-scaled-1-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"FakeWallet crypto stealer spreading through iOS apps in the App Store","datePublished":"2026-04-20T09:04:01+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/"},"wordCount":3070,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/20084942\/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-scaled-1-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["App Store","Apple","Bitpie","Coinbase","crypto stealer","Cybersecurity","FakeWallet","imToken","iOS","Ledger","Malware reports","MetaMask","Mobile threats","TokenPocket","Trust Wallet"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/","name":"FakeWallet crypto stealer spreading through iOS apps in the App Store - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/20084942\/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-scaled-1-990x400.jpg","datePublished":"2026-04-20T09:04:01+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/20084942\/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-scaled-1-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/04\/20084942\/10ad14ce5b0c948208d1485709760bde_f7c9c613-6eb1-4e66-991c-583d50e53865-1-scaled-1-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/20\/fakewallet-crypto-stealer-spreading-through-ios-apps-in-the-app-store\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"FakeWallet crypto stealer spreading through iOS apps in the App Store"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2587","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=2587"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2587\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=2587"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=2587"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=2587"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}