FakeWallet crypto stealer spreading in the App Store
April 20, 2026, 4:54 p.m.
Description
In March 2026, over twenty phishing applications were discovered in the Apple App Store masquerading as popular cryptocurrency wallets. These malicious apps redirect users to browser pages distributing trojanized versions of legitimate wallets engineered to steal recovery phrases and private keys. The campaign has been active since at least fall 2025, targeting major wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. The infected apps use iOS provisioning profiles for installation and employ library injection techniques to hijack legitimate code. The threat primarily targets users in China where official crypto wallet apps are regionally restricted. Some infected apps also contained SparkKitty modules, suggesting possible links between threat actors. The malware exfiltrates stolen credentials using RSA encryption to command-and-control servers.
Tags
Date
- Created: April 20, 2026, 3:07 p.m.
- Published: April 20, 2026, 3:07 p.m.
- Modified: April 20, 2026, 4:54 p.m.
Indicators
- ce5cb685b831d3eec4c86ca50b110827e7ad1f0e4fec41c4e4f87dcd97f262cb
- https://appstoreios.com/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31
- https://kkkhhhnnn.com/api/open/postByTokenpocket
- https://helllo2025.com/api/open/postByTokenpocket
- https://www.gxzhrc.cn/download/
- https://api.npoint.io/153b165a59f8f7d7b097
- https://nmu8n.com/tpocket/ios/Rsakeyword.php
- https://zdrhnmjjndu.ulbcl.com/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f
- https://yjzhengruol.com/s/3f605f
- https://xz.apps-store.im/s/dDan?key=646756376F6A465D313L737J333993473233038L39&c=
- https://crypto-stroe.cc/
- https://xz.apps-store.im/s/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&c=
- https://ngy2yjq0otlj.ahroar.com/17pIWJfr9DBiXYrSb
- https://ngy2yjq0otlj.ahroar.com/EpCXMKDMx1roYGJ
- https://mtjln.siyangoil.com/08dT284P/1ZMz5Xmb0EoQZVvS5
- https://ntm0mdkzymy3n.oukwww.com/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf
- https://zmx6f.com/btp/ios/receiRsakeyword.php
- www.gxzhrc.cn
- https://139.180.139.209/prod-api/system/confData/getUserConfByKey/
- https://xz.apps-store.im/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35
- https://mti4ywy4.lahuafa.com/UVB2U/mw2ZmvXKUEbzI0n
- https://mziyytm5ytk.ahroar.com/kAN2pIEaariFb8Yc
- https://odm0.siyangoil.com/TYTmtV8t/JG6T5nvM1AYqAcN
- https://6688cf.jhxrpbgq.com/6axqkwuq
- https://ntm0mdkzymy3n.oukwww.com/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca
- https://iosfc.com/ledger/ios/Rsakeycatch.php
- https://sxsfcc.com/api/open/postByTokenpocket
- https://api.dc1637.xyz
- https://xz.apps-store.im/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737
- https://nziwytu5n.lahuafa.com/10RsW/mw2ZmvXKUEbzI0n
- https://zdrhnmjjndu.ulbcl.com/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860
- https://mgi1y.siyangoil.com/vmzLvi4Dh/1Dd0m4BmAuhVVCbzF
Additional Informations
- crypto-stroe.cc
- api.dc1637.xyz
- mti4ywy4.lahuafa.com
- nziwytu5n.lahuafa.com
- mtjln.siyangoil.com
- zdrhnmjjndu.ulbcl.com
- ntm0mdkzymy3n.oukwww.com
- iosfc.com
- mziyytm5ytk.ahroar.com
- helllo2025.com
- kkkhhhnnn.com
- nmu8n.com
- xz.apps-store.im
- mgi1y.siyangoil.com
- sxsfcc.com
- ngy2yjq0otlj.ahroar.com
- odm0.siyangoil.com
- 6688cf.jhxrpbgq.com
- zmx6f.com
- yjzhengruol.com
- appstoreios.com
- China