FakeWallet Crisis: 26 Malicious Crypto Apps Bypass Apple’s Vetting—Here’s How to Protect Your Digital Assets + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction

In March 2026, cybersecurity firm Kaspersky uncovered 26 malicious phishing applications on Apple’s official App Store masquerading as legitimate cryptocurrency wallets like MetaMask, Coinbase, Ledger, and Trust Wallet. Collectively dubbed FakeWallet, this campaign has been active since autumn 2025 and leverages typosquatting, enterprise provisioning profiles, and even OCR-based text extraction to steal recovery phrases—enabling attackers to drain victims’ crypto holdings in seconds.

Learning Objectives

• Understand the multiple attack vectors employed by FakeWallet, including typosquatting, malicious SDK injection, and phishing via enterprise provisioning profiles.
• Acquire practical detection skills to identify fake wallet apps in app stores using both manual verification and command-line forensics.
• Implement defensive strategies including seed phrase best practices, app vetting checklists, and incident response procedures for compromised wallets.

You Should Know

1. Anatomy of the FakeWallet Attack Chain

The FakeWallet campaign operates through a multi-stage process that begins in the App Store and ends with asset theft. The attacker first deploys a benign‑looking app—often disguised as a game, calculator, or task planner—with generic icons and intentionally misspelled names (a tactic known as typosquatting) to slip past Apple’s automated review filters. Once downloaded and launched, this decoy app redirects the user to a phishing webpage that mimics the real App Store interface. This page then uses an iOS enterprise provisioning profile to sideload a trojanized version of the targeted wallet onto the device.

The malware is delivered primarily as a malicious library injection or, in more sophisticated builds, by altering the original source code of the wallet app itself. Once active, it employs three principal data‑exfiltration techniques:
– Code Hooking: Intercepts the wallet’s creation or recovery screens to capture screen input directly.
– Phishing Overlays: Presents fake “security verification” prompts, especially inside Ledger apps, to trick users into manually typing their seed phrase.
– OCR Module: Scans the device’s photo library for images containing recovery phrases, using optical character recognition to extract the text.

After gathering the seed phrase or private key, the malware encrypts the data with RSA and Base64 and transmits it to an attacker‑controlled C2 server. The adversary then restores the victim’s wallet on their own device and immediately drains all funds.

Step‑by‑Step Guide to Detecting a Suspicious Mobile Provisioning Profile

If you have ever granted a provisioning profile to install an enterprise application, audit it using these steps:

On macOS (to inspect mobile provisioning profiles):

 List all installed provisioning profiles
ls ~/Library/MobileDevice/Provisioning\ Profiles/

Inspect a specific profile (replace filename)
security cms -D -i ~/Library/MobileDevice/Provisioning\ Profiles/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.mobileprovision

Look for suspicious fields: 'TeamName', 'ExpirationDate', and 'ProvisionedDevices'
security cms -D -i profile.mobileprovision | grep -A 5 "<key>TeamName</key>"

On iOS (no direct filesystem access, but use network monitoring):
– Install a trusted mobile security app (e.g., Avira Mobile Security) to detect suspicious profiles.
– Go to Settings → General → VPN & Device Management and review any “Enterprise App” profiles. If you see an unrecognised profile or one from an unknown developer, remove it immediately.

Defensive Commands for Seed Phrase Management

Never store a seed phrase in plain text. If you must keep a digital backup, use encryption on an air‑gapped system:

 On an offline Linux/macOS machine, create an encrypted file for your seed phrase
 Generate a strong key (save this key offline, e.g., on paper)
openssl rand -base64 32 > seed.key

Encrypt the plaintext seed phrase file
openssl enc -aes-256-cbc -salt -in seed_plain.txt -out seed_encrypted.aes -pass file:./seed.key

Decrypt when needed (offline only)
openssl enc -aes-256-cbc -d -in seed_encrypted.aes -out seed_restored.txt -pass file:./seed.key

On Windows (using integrated tools):

 Create an encrypted directory using EFS (Enterprise environment only)
mkdir C:\SecureSeed\ ; cipher /E /S:C:\SecureSeed\

Use built-in BitLocker for full drive encryption (best for laptops)
manage-bde -status
manage-bde -on C: -RecoveryPassword

2. Verifying Wallet Authenticity Before Downloading

Because the FakeWallet apps appeared directly in the App Store, users must not rely on the store’s approval as a guarantee of safety. Follow this app store vetting protocol before any download:

Step‑by‑Step Guide for Verified Wallet Downloads

1. Never download a crypto wallet from app store search results. Instead, navigate directly to the official wallet website (e.g., `https://metamask.io`, `https://www.ledger.com`, `https://trustwallet.com`). Type the URL manually or use a trusted bookmark.

2. Check the developer name meticulously. Legitimate wallets are published by well‑known entities:

– MetaMask → “MetaMask”
– Ledger Live → “Ledger SAS”
– Trust Wallet → “Trust Wallet”
Any misspelling (e.g., “LeddgerNew” as seen in this campaign) is a red flag.

1. Examine the app’s download count and review history. A new listing with very few reviews should trigger extreme caution. Use multiple sources: check Reddit, Twitter, and official company forums for mentions of that specific app listing.

2. Review permissions before installing. A legitimate wallet app requires internet access and storage permission. It does not need access to your contacts, camera (unless QR scanning is used), microphone, or location. Fake apps often request excessive permissions upfront.

3. After installation, test the app without revealing any real assets, make sure it never asks for an existing seed phrase during initial setup. The universal scam indicator is any prompt that asks you to type in a recovery phrase—real wallets generate a new phrase for you to write down; they never ask you to type one in.

Sample iOS Permissions Audit Command (via Apple Configurator 2 on macOS):

 Dump installed app permissions (requires configurator and supervised device)
cfgutil get-apps | grep -A 10 "bundleIdentifier"

Alternative: Use 'ideviceinstaller' on Linux/macOS
ideviceinstaller -l -o list_apps
ideviceinstaller -l -o list_bundles

1. Forensic Analysis and Incident Response After Seed Phrase Leak

If you suspect a wallet has been compromised or that you entered your seed phrase into a fake app, time is critical. Attackers can drain funds in seconds. Follow this incident response protocol:

Immediate Triage Commands (network and process inspection)

On Windows (powershell as admin):

 Check for suspicious outbound connections (look for C2 beaconing)
netstat -ano | findstr "ESTABLISHED"

List recent file modifications in temp and appdata directories
Get-ChildItem -Path C:\Users\%USERNAME%\AppData\Local\Temp -Recurse | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 20

On Linux/macOS:

 Monitor real-time network connections
sudo lsof -i -P -n | grep -E "ESTABLISHED"

List recently modified files in user directories
find ~/ -type f -mmin -30 -ls 2>/dev/null

Check for processes using camera or microphone unexpectedly
lsof /dev/video 2>/dev/null

Step‑by‑Step Guide to Responding to a Compromised Wallet

1. Immediately transfer all remaining assets from the compromised wallet to a new, hardware‑secured wallet. Use a device you trust (preferably one that has been factory reset) and do not reuse the same seed phrase.

2. Identify the fake app. Compare the list of installed apps against the known FakeWallet names (Kaspersky’s list is available; common examples included “LeddgerNew”, “MetaMaskPro”, and decoy utility apps that displayed fake wallet banners).

3. Wipe the infected device. Because the malware may have embedded persistence mechanisms (e.g., enterprise profiles that survive app deletion), a full factory reset is recommended:

– iOS: Settings → General → Transfer or Reset iPhone → Erase All Content and Settings
– After reset, restore only from a backup created before the infection occurred.

4. Report the incident:

• Notify the official wallet provider (e.g., MetaMask, Ledger) through their support channels.
• File a report with your local cyber‑crime unit and the IC3 (if in the US).
• If the malware used OCR, assume that any screenshot or photo containing text may have been exfiltrated—rotate credentials for all accounts whose secrets appeared in images.

1. Hardening Mobile Devices Against Advanced Stealers Like FakeWallet

Protection goes beyond careful downloading. Implement these automated and manual hardening measures to reduce the attack surface.

Step‑by‑Step Guide for Device Hardening

1. Disable installation of enterprise provisioning profiles unless absolutely necessary:

– iOS: Settings → General → VPN & Device Management → Remove any profile that is not required for work. If you do not use enterprise apps, delete all profiles.

1. Enable lockdown mode for high‑risk users (iOS 16+):

– Settings → Privacy & Security → Lockdown Mode. This disables many attack vectors, including certain web technologies and profile installations.

1. Deploy a mobile endpoint detection and response (EDR) solution that can monitor for unexpected network beacons and behavioural anomalies. For iOS, options include Avira Mobile Security or ScamNet.

2. Use a VPN on public Wi-Fi to encrypt traffic, but be aware that this does not block malware that communicates over HTTPS. Combine VPN with a DNS filtering service to block known C2 domains.

3. Regularly audit installed applications with a script that checks against known malicious hashes:

On macOS (using `mdls` to get bundle identifiers):

 List all installed app IDs
ls /Applications/ | while read app; do
id=$(mdls -name kMDItemCFBundleIdentifier "/Applications/$app" 2>/dev/null)
echo "$app: $id"
done

On Windows (PowerShell):

 Get installed apps from registry and check for suspicious patterns
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\ | Select-Object DisplayName, Publisher, InstallDate
Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\ | Select-Object DisplayName, Publisher, InstallDate

5. Securing Seed Phrases: The Essential Offline Workflow

The most valuable “key” to your crypto assets is the recovery phrase. Because FakeWallet uses both direct code hooking and OCR to harvest these phrases, your backup strategy must be resilient to digital compromise.

Step‑by‑Step Guide to a Secure Seed Phrase Workflow

1. Generate offline only. Use a hardware wallet or a dedicated offline computer (never connected to the internet) to generate your seed phrase. On a live‑boot Linux USB (e.g., Tails), you can generate a wallet with electrum:

 On offline Tails or Ubuntu Live USB
sudo apt update && sudo apt install electrum -y
electrum --offline create
 Write down the 12‑24 word phrase on paper; never store it electronically.

1. Never type your seed phrase into any app or website, no matter how official it looks. Legitimate wallet software, including Ledger Live and MetaMask, never asks for your existing seed phrase during normal operation.

2. Backup physically: Write the seed phrase on acid‑free paper using a pen that does not smudge. Store copies in two geographically separate secure locations (e.g., a home safe and a bank safety deposit box). Avoid digital backups entirely—if you must use one, follow the encrypted, air‑gapped procedure outlined in Section 1.

3. Consider a passphrase (25th word). Most hardware wallets allow an additional user‑defined word that is not stored on the device. Even if your seed phrase is stolen, the attacker cannot access funds without the passphrase. Store the passphrase in your memory or a separate physical location.

4. Test your backup before depositing significant funds. Use a tiny amount of cryptocurrency to verify that you can restore the wallet from the paper backup.

Example of a safe restoration test (on an offline device):

 Using Electrum offline (on air‑gapped machine)
electrum --offline restore
 Enter your seed phrase when prompted (offline only)
 Verify the wallet address matches the one you expect

What Undercode Say

The FakeWallet campaign exposes a fundamental gap in mobile app store security: availability of official apps does not imply trustworthiness. Attackers exploited regional restrictions in China—where legitimate wallets like MetaMask are unavailable—to push fakes that even passed Apple’s review. Key takeaways for the cybersecurity community:

• App stores are not a security boundary for cryptocurrency software. Users must be trained to bypass store search and always download from official, verified sources outside the store ecosystem.
• Dormant malware “waiting to be toggled on” represents a new class of threat in mobile stores. Security teams should audit not only installed apps but also their update history and permissions changes over time.
• OCR‑based theft of seed phrases from device photos is a game changer. Many users store screenshots of their recovery phrase—often as a “backup”—making them vulnerable without any direct interaction. The golden rule remains: never store a seed phrase digitally, in any form, on any device connected to the internet.
• The enterprise provisioning profile abuse technique is not new, but its combination with a benign App Store‑listed decoy app makes it harder to detect. Mobile device management (MDM) policies should block sideloading of unknown enterprise profiles in corporate environments.

Prediction

The FakeWallet campaign signals a broader shift toward supply‑chain infiltration of official app stores as a primary vector for cryptocurrency theft. As regulatory controls tighten in some jurisdictions, attackers will increasingly exploit gaps between regional availability and global demand, distributing decoy apps that contain no malware at the time of review but activate later via remote updates. We can expect to see similar campaigns targeting Google Play and even desktop package managers (e.g., Homebrew Casks, Snap Store). Users should anticipate a future where hardware wallets combined with air‑gapped seed generation become the baseline for any significant crypto holdings, and where mobile security software shifts from signature‑based detection to behavioral and supply‑chain provenance analysis as the only viable defence.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Hackermohitkumar 26 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky