Beware: 26 Malicious Crypto Wallet Apps Discovered on Apple App Store
In a significant cybersecurity revelation, researchers have identified 26 malicious applications on the Apple App Store that impersonate popular cryptocurrency wallets. These counterfeit apps aim to steal users’ recovery phrases and private keys, posing a substantial threat to cryptocurrency holders.
Discovery and Modus Operandi
Cybersecurity experts from Kaspersky uncovered these deceptive applications, collectively termed FakeWallet. These apps mimic well-known cryptocurrency wallets such as Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet. Once installed, these apps redirect users to browser pages that closely resemble the official App Store, distributing trojanized versions of legitimate wallets. The primary objective is to hijack users’ recovery phrases and private keys, granting attackers unauthorized access to victims’ cryptocurrency assets.
Distribution and Tactics
Unlike previous malicious cryptocurrency wallets that relied on bogus websites and exploited iOS provisioning profiles, this new scheme represents a more sophisticated approach. The counterfeit apps were directly available for download from Apple’s App Store, particularly targeting users whose Apple accounts were set to China. These apps employed icons identical to the legitimate ones but included intentional typos in their names (e.g., LeddgerNew) to deceive unsuspecting users. In some instances, the app names and icons bore no relation to cryptocurrency, serving as placeholders that directed users to download the official wallet app under the pretense that it was unavailable in the App Store due to regulatory reasons.
Technical Insights
Kaspersky’s analysis revealed that the attackers developed a variety of malicious modules, each tailored to a specific wallet. In most cases, the malware was delivered through malicious library injections. However, some builds involved modifications to the app’s original source code. The ultimate goal of these infections was to extract mnemonic phrases from both hot and cold wallets and transmit them to an external server. This allowed the attackers to gain control over victims’ wallets, enabling them to drain cryptocurrency assets or initiate fraudulent transactions.
The seed phrases were captured using two primary methods:
1. Code Hooking: Intercepting the code responsible for the screen where users enter their recovery phrases.
2. Phishing Pages: Serving deceptive pages that prompted victims to enter their mnemonics under the guise of a verification step.
Potential Attribution
There is speculation that this campaign may be linked to threat actors associated with the SparkKitty trojan campaign from the previous year. Some of the infected apps included modules designed to steal wallet recovery phrases using optical character recognition (OCR). Both campaigns appear to be orchestrated by native Chinese speakers and specifically target cryptocurrency assets.
Apple’s Response and Ongoing Challenges
Following the disclosure, many of these malicious apps have been removed from the App Store. However, this incident underscores the persistent challenges in maintaining the security of app marketplaces. Apple has previously reported significant efforts to combat fraudulent activities. In 2024 alone, the company prevented over $2 billion in fraudulent transactions and rejected more than 1.9 million app submissions for failing to meet security and privacy standards. Despite these measures, the emergence of the FakeWallet campaign highlights the evolving tactics of cybercriminals and the need for continuous vigilance.
Broader Implications
The discovery of the FakeWallet apps coincides with the emergence of other sophisticated malware frameworks targeting cryptocurrency users. For instance, Cyble has shed light on an Android malware delivery framework known as MiningDropper (also referred to as BeatBanker). This framework combines cryptocurrency mining with information theft, remote access, and banking malware in attacks targeting users in India, as well as in Latin America, Europe, and Asia. MiningDropper employs a multi-stage payload delivery architecture that includes obfuscation techniques, encrypted payload staging, dynamic DEX loading, and anti-emulation strategies. This design allows threat actors to adapt their final payload delivery to operational needs, demonstrating the increasing sophistication of malware targeting cryptocurrency assets.
Protective Measures for Users
Given the rising threats, cryptocurrency users are advised to exercise caution when downloading wallet applications. To mitigate risks, consider the following steps:
– Verify Authenticity: Always download apps from official sources and verify the developer’s credentials.
– Check Reviews and Ratings: Look for user reviews and ratings to identify potential red flags.
– Be Wary of Typos and Inconsistencies: Pay attention to app names and icons for any discrepancies or misspellings.
– Enable Two-Factor Authentication (2FA): Enhance account security by enabling 2FA where possible.
– Regularly Update Software: Keep your device’s operating system and applications up to date to benefit from the latest security patches.
By remaining vigilant and adopting these protective measures, users can better safeguard their cryptocurrency assets against emerging threats.
