MurmurCast
NewsTechnical

蘋果App Store驚見假錢包,FakeWallet攻擊竊取助記詞

iThome 新聞

Kaspersky researchers uncovered a campaign called FakeWallet, identifying at least 26 fraudulent cryptocurrency wallet apps in Apple's App Store, primarily targeting China's regional store. These fake apps impersonate popular wallets like MetaMask and Trust Wallet, intercepting seed phrases and private keys to steal crypto assets. The attack employs multiple techniques including malicious code injection and iOS configuration profiles to evade detection.

Summary

Kaspersky has exposed an attack campaign dubbed FakeWallet, in which at least 26 counterfeit cryptocurrency wallet applications have infiltrated Apple's App Store, predominantly targeting the Chinese regional storefront. The attackers exploit a known gap: many legitimate crypto wallets are unavailable in China's App Store for users with Chinese Apple IDs, creating an opportunity for malicious actors to publish lookalike apps with near-identical icons and names — sometimes with deliberate misspellings — to deceive users into thinking they are downloading official versions.

The fake apps impersonate several major cryptocurrency wallets, including MetaMask, Ledger Live, Trust Wallet, Coinbase Wallet, TokenPocket, imToken, and Bitpie. Rather than functioning as legitimate wallets, these apps serve primarily as entry points that redirect users to phishing pages or prompt them to install malware-laden wallet versions. When users attempt to create or import a wallet, their seed phrases (recovery phrases) and private keys are intercepted and transmitted to attackers, granting full control over the victim's crypto assets. Some variants targeting hardware wallet users display fake 'security verification' screens to trick users into voluntarily entering their seed phrases.

The technical methods employed are varied and sophisticated. Some samples contain injected malicious libraries or tampered source code that intercept seed phrases during app execution. Others exploit iOS configuration profiles to bypass App Store installation restrictions, installing compromised wallets directly onto devices and significantly complicating detection and mitigation efforts.

Kaspersky also identified a potential link between the FakeWallet campaign and a previously known malware strain called SparkKitty, as some samples contained modules from both, along with Chinese-language comments and log messages in the code — suggesting the developers are likely native Chinese speakers. However, researchers caution that attribution to a single threat actor remains unconfirmed.

Despite the campaign's current focus on the Chinese market, Kaspersky warns that the malicious modules contain no regional restrictions, and some phishing interfaces automatically adapt to the user's language, indicating that the attack methodology has the capability to expand into other global markets.

About this episode

資安業者Kaspersky近日揭露,一波名為FakeWallet的攻擊行動已滲透蘋果App Store,出現至少26款偽裝成主流加密貨幣錢包的應用程式。這些App表面看似正常,但實際上會將使用者導向仿冒下載頁,誘導安裝被植入惡意程式的錢包,或透過釣魚介面騙取助記詞(Recovery Phrase)與私鑰,進而竊取加密資產。

Key Insights

  • Kaspersky argues that the FakeWallet campaign specifically exploits China's App Store restrictions on legitimate crypto wallets, using the unavailability of official apps as a social engineering lever to make fake alternatives appear credible.
  • Researchers found that some FakeWallet samples share modules with a previously known malware called SparkKitty, and both contain Chinese-language internal comments, suggesting a likely Chinese-speaking developer, though attribution to a single group remains unconfirmed.
  • The campaign employs iOS configuration profiles as an attack vector to bypass App Store installation controls entirely, allowing infected wallet apps to be sideloaded directly onto devices — a technique Kaspersky identifies as significantly increasing detection difficulty.
  • Kaspersky notes that the malicious modules in FakeWallet carry no hardcoded geographic restrictions and include multilingual phishing interfaces that auto-adapt to the victim's language, meaning the attack infrastructure is structurally ready for global deployment.
  • The research reveals that the fake apps do not simply steal credentials passively — some variants targeting hardware wallet users actively fabricate 'security verification' screens to socially engineer users into voluntarily submitting their seed phrases.

Topics

FakeWallet attack campaign targeting Apple App StoreCryptocurrency wallet impersonation and seed phrase theftTechnical evasion methods including iOS configuration profile abusePotential link to SparkKitty malware and Chinese-speaking threat actorsRisk of campaign expansion beyond the Chinese market

Transcript

資安業者 Kaspersky近日揭露 ,一波名為FakeWallet的攻擊行動已滲透蘋果App Store,出現至少26款偽裝成主流加密貨幣錢包的應用程式。這些App表面看似正常,但實際上會將使用者導向仿冒下載頁,誘導安裝被植入惡意程式的錢包,或透過釣魚介面騙取助記詞(Recovery Phrase)與私鑰,進而竊取加密資產。 這波攻擊主要出現在中國區App Store。Kaspersky已發現至少26款釣魚應用偽裝成主流加密貨幣錢包。由於多數官方錢包無法在中國區App Store上架(特別是Apple ID設為中國地區的用戶),使駭客得以利用此情境,上架名稱與圖示與官方錢包高度相似的假App,並宣稱官方版本無法取得,誘導使用者轉往其他管道下載,進而展開後續攻擊。 上述釣魚應用主要模仿多款主流加密貨幣錢包,包括MetaMask、Ledger Live、Trust Wallet、Coinbase旗下錢包,以及TokenPocket、imToken與Bitpie等,透過使用與官方高度相似的圖示、名稱(甚至刻意拼錯字),並搭配看似正常的介面或功能,增加使用者誤信與下載的機率。 這些假錢包App多半只是入口,開啟後會將使用者導向仿冒頁面,誘導下載被植入惡意程式的錢包,或直接要求輸入助記詞。當使用者建立或匯入錢包時,助記詞就會被攔截並傳送給攻擊者,進而取得錢包控制權並竊取資產;部分針對硬體錢包的攻擊,則會偽裝成「安全驗證」畫面,誘騙使用者自行輸入助記詞。 研究發現,這類攻擊並非單一手法,部分樣本是透過植入惡意程式庫或竄改原始碼,在應用執行過程中攔截助記詞,亦有版本會利用iOS描述檔機制,繞過App Store安裝限制,將受感染的錢包直接安裝至裝置中,增加偵測與防範難度。 在攻擊來源方面,Kaspersky指出,FakeWallet行動可能與另一已知惡意程式SparkKitty存在關聯。研究人員在部分樣本中發現同時包含兩者模組,且程式內部出現中文註解與紀錄訊息,顯示開發者可能為中文母語者。不過,目前尚無法確認這些攻擊是否出自同一駭客組織。 值得注意的是,儘管本次攻擊主要以中國市場為目標,但惡意模組本身並未設有地區限制,且部分釣魚介面可依語言自動調整,意味著該手法具備擴散至其他市場的能力。

Full transcript available for MurmurCast members

Sign Up to Access
View original source →

More from iThome 新聞

Get AI summaries like this delivered to your inbox daily

Get AI summaries delivered to your inbox

MurmurCast summarizes your YouTube channels, podcasts, and newsletters into one daily email digest.