Two sentences summarizing the content. FakeWallet is a campaign of 26 malicious apps that impersonated popular wallets like MetaMask, Coinbase, Trust Wallet, OneKey, and Ledger to steal recovery/seed phrases and drain cryptocurrency. Kaspersky links the campaign to the SparkKitty operation, noting the apps used typosquatting, fake branding, iOS provisioning profiles, and phishing to sideload trojanized wallets and exfiltrate mnemonics. #FakeWallet #SparkKitty
Keypoints
- Twenty-six fake apps on the App Store impersonated popular crypto wallets to steal seed phrases.
- Attackers used typosquatting, fake branding, and disguised apps as games or calculators to target users in China.
- Victims were redirected to phishing pages that delivered trojanized wallet apps via abused iOS provisioning profiles.
- The malicious apps intercept and encrypt mnemonic phrases or prompt manual entry for cold wallets, then exfiltrate them to attackers.
- Kaspersky attributes the campaign to FakeWallet/SparkKitty, Apple removed the apps after disclosure, and users should verify app publishers and use official links.