ACCORDING to Securelist, FakeWallet’s crypto stealer has been spreading through iOS apps in the App Store, with the campaign disclosed on 20 April 2026. In March 2026, more than twenty phishing apps masquerading as popular wallets were identified, with 26 apps specifically mimicking MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken and Bitpie.
The attackers’ approach relies on phishing apps that, when launched, redirect users to browser pages and then install infected wallet variants via enterprise provisioning profiles, enabling data exfiltration of recovery phrases and private keys. Securelist notes that the malware encrypts mnemonics with RSA PKCS #1, encodes them in Base64, and sends them to a command-and-control server, with the threat detected by Kaspersky products as HEUR:Trojan-PSW.IphoneOS[.]FakeWallet.* and HEUR:Trojan.IphoneOS[.]FakeWallet.*.
The campaign appears primarily targeted at users in China, though the malicious modules have no regional restrictions, and some variants feature phishing notifications in the app’s language. Attribution suggests a link to SparkKitty’s creators, based on shared modules and linguistic indicators.