MurmurCast
NewsTechnical

蘋果App Store驚見假錢包,FakeWallet攻擊竊取助記詞

iThome 新聞

Kaspersky researchers uncovered a campaign called FakeWallet, identifying at least 26 fraudulent cryptocurrency wallet apps in Apple's App Store, primarily targeting China's regional store. These fake apps impersonate popular wallets like MetaMask and Trust Wallet, intercepting seed phrases and private keys to steal crypto assets. The attack employs multiple techniques including malicious code injection and iOS configuration profiles to evade detection.

Summary

Kaspersky has exposed an attack campaign dubbed FakeWallet, in which at least 26 counterfeit cryptocurrency wallet applications have infiltrated Apple's App Store, predominantly targeting the Chinese regional storefront. The attackers exploit a known gap: many legitimate crypto wallets are unavailable in China's App Store for users with Chinese Apple IDs, creating an opportunity for malicious actors to publish lookalike apps with near-identical icons and names — sometimes with deliberate misspellings — to deceive users into thinking they are downloading official versions.

The fake apps impersonate several major cryptocurrency wallets, including MetaMask, Ledger Live, Trust Wallet, Coinbase Wallet, TokenPocket, imToken, and Bitpie. Rather than functioning as legitimate wallets, these apps serve primarily as entry points that redirect users to phishing pages or prompt them to install malware-laden wallet versions. When users attempt to create or import a wallet, their seed phrases (recovery phrases) and private keys are intercepted and transmitted to attackers, granting full control over the victim's crypto assets. Some variants targeting hardware wallet users display fake 'security verification' screens to trick users into voluntarily entering their seed phrases.

The technical methods employed are varied and sophisticated. Some samples contain injected malicious libraries or tampered source code that intercept seed phrases during app execution. Others exploit iOS configuration profiles to bypass App Store installation restrictions, installing compromised wallets directly onto devices and significantly complicating detection and mitigation efforts.

Kaspersky also identified a potential link between the FakeWallet campaign and a previously known malware strain called SparkKitty, as some samples contained modules from both, along with Chinese-language comments and log messages in the code — suggesting the developers are likely native Chinese speakers. However, researchers caution that attribution to a single threat actor remains unconfirmed.

Despite the campaign's current focus on the Chinese market, Kaspersky warns that the malicious modules contain no regional restrictions, and some phishing interfaces automatically adapt to the user's language, indicating that the attack methodology has the capability to expand into other global markets.

Key Insights

  • Kaspersky argues that the FakeWallet campaign specifically exploits China's App Store restrictions on legitimate crypto wallets, using the unavailability of official apps as a social engineering lever to make fake alternatives appear credible.
  • Researchers found that some FakeWallet samples share modules with a previously known malware called SparkKitty, and both contain Chinese-language internal comments, suggesting a likely Chinese-speaking developer, though attribution to a single group remains unconfirmed.
  • The campaign employs iOS configuration profiles as an attack vector to bypass App Store installation controls entirely, allowing infected wallet apps to be sideloaded directly onto devices — a technique Kaspersky identifies as significantly increasing detection difficulty.
  • Kaspersky notes that the malicious modules in FakeWallet carry no hardcoded geographic restrictions and include multilingual phishing interfaces that auto-adapt to the victim's language, meaning the attack infrastructure is structurally ready for global deployment.
  • The research reveals that the fake apps do not simply steal credentials passively — some variants targeting hardware wallet users actively fabricate 'security verification' screens to socially engineer users into voluntarily submitting their seed phrases.

Topics

FakeWallet attack campaign targeting Apple App StoreCryptocurrency wallet impersonation and seed phrase theftTechnical evasion methods including iOS configuration profile abusePotential link to SparkKitty malware and Chinese-speaking threat actorsRisk of campaign expansion beyond the Chinese market

Full transcript available for MurmurCast members

Sign Up to Access
View original source →

Get AI summaries like this delivered to your inbox daily

Get AI summaries delivered to your inbox

MurmurCast summarizes your YouTube channels, podcasts, and newsletters into one daily email digest.