26 Fake Crypto Wallet Apps on Apple App Store Steal Seed Phrases

Executive Summary

Kaspersky researchers have identified 26 malicious applications on the Apple App Store that impersonate popular cryptocurrency wallets, including MetaMask, Coinbase, and Trust Wallet. Active since at least fall 2025, these apps redirect users to browser-based phishing pages mimicking the App Store to distribute trojanized wallet installers designed to capture recovery phrases and private keys. The campaign targets both iOS and potentially macOS users through Apple's official distribution channel, Kaspersky reported on April 24, 2026.

Technical Analysis

According to Kaspersky's analysis, the fake apps employ a multi-stage infection chain. Upon launch, the app immediately opens a WebView or redirects the user to a phishing page styled identically to the real App Store interface. This page prompts the user to download a seemingly legitimate wallet app — but the installer is trojanized. Once installed, the trojanized wallet behaves normally for basic functions but intercepts and exfiltrates the user's seed phrase or private key when the wallet is created or imported.

Kaspersky noted that the apps were submitted to the App Store under various developer names and categories, likely using stolen or fabricated developer credentials to bypass Apple's review process. The researchers did not disclose the full list of app names or developer accounts, citing ongoing investigations. The campaign appears to be financially motivated, targeting high-value cryptocurrency holders.

Mitigations & Recommendations

Apple has not publicly commented on the takedown timeline, and Kaspersky did not confirm whether all 26 apps have been removed. Users should verify the publisher of any wallet app before downloading — legitimate wallet developers publish under verified accounts with clear support channels. Enabling hardware-based two-factor authentication and never entering seed phrases into any app that requests them outside of the wallet's own secure interface can reduce risk. Kaspersky recommends checking app reviews for suspicious patterns and avoiding apps with few downloads or recent creation dates.