Cybersecurity researchers have identified 26 malicious applications on the Apple App Store that impersonate legitimate cryptocurrency wallets. These apps, active since at least fall 2025, are designed to steal recovery phrases and private keys from users.

According to a report from Kaspersky, the fake applications trick users into providing sensitive data. “Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distribute trojanized versions of legitimate wallets,” the company stated. This technique bypasses Apple’s standard app review process by loading the malicious components from external servers after installation.

How the fake wallet apps Operate

The fraudulent apps mimic well-known digital wallet brands, appearing authentic to unsuspecting users. After a victim downloads and opens a fake app, it displays a login or sync screen that demands their seed phrase or private key. In some cases, the app redirects the user to a phishing webpage that asks for the same credentials directly.

Security experts note that the apps use “clicker” and “redirection” tactics to avoid detection during Apple’s initial screening. The malicious code is not embedded in the app’s binary but is fetched from a remote server once the app is active on the device. This technique, known as a “dropper” attack, has become increasingly common in mobile malware campaigns.

Impact and Scope of the Threat

Victims who enter their seed phrases or private keys into these apps risk losing access to their cryptocurrency holdings permanently. Because blockchain transactions are irreversible, stolen funds cannot be recovered. Kaspersky researchers have stated that the campaign appears to be targeting a broad user base, not specific high-value individuals.

The discovery highlights ongoing vulnerabilities in the App Store’s security model. While Apple has removed the 26 identified apps, researchers warn that similar threats may reappear with new names or developer accounts. The apps were reportedly available in multiple regions, potentially affecting thousands of users globally.

Comparison With Previous Attacks

This incident is not the first of its kind. In previous years, fake cryptocurrency wallet apps have been found on both the Apple App Store and Google Play Store. However, the scale and sophistication of this campaign, involving 26 distinct apps, marks a significant escalation. The use of server side content loading makes these apps harder to detect compared to traditional malware that relies on static code analysis.

Preventive Measures for Users

To avoid such threats, security professionals recommend that cryptocurrency users download wallet apps only from official developer websites rather than app stores. Users should also verify developer credentials, check the date of the app’s first release, and read user reviews carefully. Entering a seed phrase into any application other than a trusted hardware wallet or a verified software wallet is strongly discouraged.

Experts also advise enabling two-factor authentication where possible, using hardware wallets for large holdings, and regularly checking for app updates from official sources. If a user suspects they have entered credentials into a fake app, they should transfer their funds to a new wallet immediately.

Official Responses and Next Steps

Apple has not issued a public statement regarding the specific removal of these 26 apps. However, the company has previously stated it employs a rigorous app review process and investigates reports of malicious software. Kaspersky has shared its findings with Apple and other relevant authorities.

Moving forward, analysts expect Apple to strengthen its app review algorithms to better detect apps that load remote code after installation. The cybersecurity community is also calling for more transparent reporting on app removals to help users stay informed. Users are urged to remain vigilant and to monitor official security advisories from wallet providers and cybersecurity firms.

Source: Kaspersky