26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases

The discovery of FakeWallet apps marks a troubling shift in cryptocurrency theft, moving from off‑store phishing sites to the official Apple App Store. By exploiting regional account settings, threat actors can bypass Apple’s standard review process, delivering malicious code directly to unsuspecting users. This tactic leverages the trust users place in the App Store and the growing popularity of mobile wallets, creating a fertile ground for large‑scale seed‑phrase harvesting that can instantly compromise both hot and cold crypto holdings.

Technically, the FakeWallet suite employs a blend of typosquatting, icon cloning, and enterprise provisioning profiles to appear legitimate. Once installed, the apps either inject malicious libraries into the genuine wallet binary or present a counterfeit entry screen that records the user’s mnemonic phrase. Some variants even use optical character recognition to capture phrases entered elsewhere, while others redirect victims to phishing sites that mimic official wallet interfaces. These methods demonstrate a sophisticated understanding of iOS internals and a willingness to invest in custom code to bypass Apple’s sandbox protections.

The broader context suggests a coordinated ecosystem of crypto‑focused malware, with FakeWallet potentially sharing infrastructure with the SparkKitty trojan and the newly identified MiningDropper Android framework. Both campaigns illustrate a modular approach, allowing threat actors to repurpose code across platforms and target a global user base. For enterprises and individual investors, the takeaway is clear: reliance on seed‑phrase secrecy alone is insufficient. Multi‑factor authentication, hardware wallets, and rigorous app‑store scrutiny are essential defenses against this evolving threat landscape.