Kaspersky identified 26 fraudulent apps impersonating major crypto wallets like MetaMask, Ledger, Trust Wallet, and Coinbase. These phishing apps, mainly found on the Chinese iOS App Store, mimic legitimate interfaces and include fake features (e.g., games or calculators) to appear authentic. Once launched, they redirect users to a spoofed App Store page and prompt installation via developer profiles—similar to the previously reported SparkKitty technique, a press release said.
The goal is to install trojanized wallet apps that steal seed phrases. Hot wallets are compromised by intercepting recovery data, while cold wallet users are tricked into manually entering seed phrases—something legitimate apps never request. Although regionally distributed, these apps pose a global risk.
“While the apps that kick off the attack chain are not inherently malicious, they lead to the user installing a trojan in the end. By paying a fee and setting up a developer account, the attackers can target any iOS device if the user succumbs to the phishing tactic. Users should be wary of the risks related to managing their crypto wallets even on devices that they consider safe, such as iPhones. We expect there may be more trojanized crypto apps distributed with a similar tactic,” comments Sergey Puzan, mobile malware expert at Kaspersky.
Kaspersky advises users to stay vigilant by avoiding suspicious in-app links, especially when unexpected pages appear. Users should never install developer profiles unless they come directly from a trusted employer, as these can enable malicious app installations. It is critical to only enter recovery or seed phrases on the official wallet device—legitimate apps like Ledger will never request this information. Additionally, users should always verify that an app is published by a legitimate developer, even if it is downloaded from official platforms like the App Store, and make it a habit to cross-check download links through the developer’s official website.
