CP
cyberpings

FakeWallet Crypto Stealer - Spreading Through iOS Apps

A wave of phishing apps disguised as crypto wallets has been discovered in the Apple App Store. These fake apps target users to steal sensitive information. It's crucial for crypto wallet users to remain vigilant and verify app legitimacy to avoid falling victim to these scams.

Malware & RansomwareHIGHUpdated: Published:
Featured image for FakeWallet Crypto Stealer - Spreading Through iOS Apps

Original Reporting

KAKaspersky Securelist·Sergey Puzan

AI Summary

CyberPings AI·Reviewed by Rohit Rana

🎯Basically, fake apps trick users into giving away their crypto wallet information.

What Happened

In March 2026, a significant security threat emerged as researchers uncovered over twenty phishing apps in the Apple App Store. These apps masqueraded as popular crypto wallets, aiming to deceive users into revealing sensitive information. Once launched, the apps redirected users to fake browser pages mimicking the App Store, ultimately distributing trojanized versions of legitimate wallets.

Who's Being Targeted

The primary targets of these phishing apps are crypto wallet users, particularly in regions where official wallet apps are unavailable. This is especially prevalent in China, where many users are forced to seek alternatives due to regional restrictions on popular wallets like MetaMask and Coinbase.

Signs of Infection

Users may notice several signs indicating infection:

🔴

Unexpected app behavior

Apps may redirect to unfamiliar websites.

🟡

Strange prompts

Requests for recovery phrases or private keys that legitimate apps wouldn’t ask for.

🟠

App names with typos

These phishing apps often employ **typosquatting** to slip past App Store filters.

How to Protect Yourself

To safeguard against these threats:

Detection

  • 1.Verify app legitimacy: Always download apps from official sources and check for reviews.
  • 2.Avoid suspicious links: Be cautious of links that prompt you to enter sensitive information.

Technical Details

The attackers utilized malicious modules tailored for specific wallets, employing techniques like library injection to compromise apps. For instance, a malicious library named libokexHook.dylib was found embedded in a modified version of the Coinbase app, designed to hijack the recovery phrase entry process. This method allows the malware to scrape sensitive data directly from the user interface.

Conclusion

This incident highlights the ongoing risks associated with mobile threats targeting cryptocurrency users. As the landscape evolves, it’s crucial for users to remain vigilant and adopt best practices for digital security. The identification and removal of these malicious apps from the App Store is a step in the right direction, but continued awareness is essential to prevent future attacks.

🔒 Pro Insight

🔒 Pro insight: The resurgence of crypto wallet phishing reflects a growing trend in mobile malware, exploiting user trust in app stores.

KAKaspersky Securelist· Sergey Puzan
Read Original

Share

Related Pings

Preview image for Malicious pgserve & automagik Tools Found in npm Registry
Malware & Ransomware
HIGH

Malicious pgserve & automagik Tools Found in npm Registry

Malicious versions of pgserve and automagik have been found in the npm registry, posing serious risks to developers. These tools can steal sensitive data and credentials. Immediate action is required to secure your systems.

CSCSO Online
Read PingRead Source
Preview image for Everest Ransomware - Major Breaches at Citizens and Frost Bank
Malware & Ransomware
HIGH

Everest Ransomware - Major Breaches at Citizens and Frost Bank

Major breaches at Citizens Financial Group and Frost Bank have been linked to Everest ransomware, exposing millions of customer records. Customers should take immediate action to protect their data.

SCSC Media
Read PingRead Source
Preview image for Fake GitHub Repositories - Delivering SmartLoader and StealC
Malware & Ransomware
HIGH

Fake GitHub Repositories - Delivering SmartLoader and StealC

A large-scale malware campaign has been uncovered involving 109 fake GitHub repositories. Users were tricked into downloading SmartLoader and StealC malware. This poses serious risks for developers and security professionals alike. Immediate protective measures are essential.

CSCyber Security News
Read PingRead Source
Preview image for Auraboros RAT - Exposes Keylogging and Cookie Hijacking
Malware & Ransomware
HIGH

Auraboros RAT - Exposes Keylogging and Cookie Hijacking

A new RAT called Auraboros exposes serious vulnerabilities, including keylogging and cookie hijacking. This malware operates without any security measures, putting users at risk. Immediate action is needed to secure systems against this threat.

CSCyber Security News
Read PingRead Source
Preview image for DinDoor Backdoor - Abusing Deno Runtime for Stealthy Attacks
Malware & Ransomware
HIGH

DinDoor Backdoor - Abusing Deno Runtime for Stealthy Attacks

DinDoor backdoor exploits Deno runtime to bypass security. This stealthy malware targets systems, making detection difficult. Organizations must enhance monitoring and controls.

CSCyber Security News
Read PingRead Source
Preview image for Malicious Trading Website Drops Browser Hijacking Malware
Malware & Ransomware
HIGH

Malicious Trading Website Drops Browser Hijacking Malware

A fake TradingClaw AI trading tool leads to Needle Stealer malware, hijacking browsers and stealing sensitive data. Protect your accounts now.

MWMalwarebytes Labs
Read PingRead Source