![\"Phishing](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2026\/04\/27201512\/ios-macos-fake-crypto-apps-01.jpg\")
<\/a>Phishing apps in the App Store appearing in search results for Ledger Wallet (formerly Ledger Live)<\/p><\/div>\n
Beyond these, we found a number of apps with names and icons that had nothing to do with cryptocurrency. However, their promotional banners claimed they could be used to download and install official wallet apps that are otherwise unavailable in the regional App Store.<\/p>\n
<\/a>Banners on app pages claiming they can be used to download the official TokenPocket app, which is missing from the local App Store<\/p><\/div>\n
In total, we identified 26 phishing apps mimicking the following popular wallets:<\/p>\n
- \n
- MetaMask<\/li>\n
- Ledger<\/li>\n
- Trust Wallet<\/li>\n
- Coinbase<\/li>\n
- TokenPocket<\/li>\n
- imToken<\/li>\n
- Bitpie<\/li>\n<\/ul>\n
A few other very similar apps didn\u2019t contain phishing functionality yet, but all signs point to them being linked to the same attackers. It\u2019s likely they plan to add malicious features in future updates.<\/p>\n
To get these apps cleared for the App Store, the developers added basic functionality, such as a game, a calculator, or a task planner.<\/p>\n
Installing any of these clones is the first step toward losing your crypto assets. While the apps themselves don\u2019t steal cryptocurrency, seed phrases, or passwords, they serve as bait that builds user trust by virtue of being listed on the official App Store. Once installed and launched, however, the app opens a phishing site in the victim\u2019s browser, designed to look like the App Store, which then prompts the user to install a compromised version of the relevant crypto wallet. The attackers have created multiple versions of these malicious modules, each tailored to a specific wallet. You can find a detailed technical breakdown of this attack in our Securelist post<\/a>.<\/p>\n
A victim who falls for the ruse is first prompted to install a provisioning profile, which allows apps to be sideloaded onto an iPhone outside the App Store. The profile is then used to install the malicious app itself.<\/p>\n
![\"A](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2026\/04\/27201522\/ios-macos-fake-crypto-apps-03.jpg\")
<\/a>A fake App Store site prompting the user to install an app masquerading as Ledger Wallet<\/p><\/div>\n
In the example above, the malware is built on the original Ledger app with integrated Trojan functionality. The app looks identical to the original, but when connected to a hardware wallet, it displays a window requiring a seed phrase, supposedly to restore access. This is not standard procedure: typically, you only need to enter a PIN \u2014 never a recovery phrase. If a victim is deceived by the app\u2019s apparent legitimacy and enters their seed phrase, it\u2019s immediately sent to the attackers\u2019 server \u2014 granting them full access to the victim\u2019s crypto assets.<\/p>\n
Sideloading outside the App Store<\/h2>\n
A critical component of this scheme involves installing malware on the victim\u2019s iPhone by bypassing the App Store and its verification process. This is executed much like the SparkKitty iOS infostealer<\/a> we discovered previously. The attackers managed to gain access to the Apple Developer Enterprise Program<\/a>. For just US$299 a year \u2014 and following an interview and corporate verification \u2014 this program allows entities to issue their own configuration profiles and apps for direct download to user devices without ever publishing them in the App Store.<\/p>\n
![\"To](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2026\/04\/27201526\/ios-macos-fake-crypto-apps-04.jpg\")
<\/a>To install the app, the victim must first install a configuration profile that enables the malware to be downloaded directly, bypassing the App Store. Note the green verification checkmark<\/p><\/div>\n
In general, enterprise profiles are designed to allow organizations to deploy internal apps to employees\u2019 devices. These apps don\u2019t require App Store publication and can be installed on an unlimited number of devices. Unfortunately, this feature is often abused. These profiles are frequently used for software that fails to meet Apple\u2019s policies, such as online casinos, pirated mods, and, of course, malware.<\/p>\n
This is precisely why the fake site mimicking the Apple Store prompts the user to install a configuration profile before delivering the app signed by that profile.<\/p>\n
Stealing cryptocurrency via macOS apps and extensions<\/h2>\n
Many crypto owners prefer managing their wallets on a computer rather than a smartphone \u2014 often choosing Macs for the task. It\u2019s no surprise, then, that most popular macOS infostealers target crypto-wallet data in one way or another. Recently, however, a new malicious tactic has been gaining traction: in addition to stealing saved data, attackers are embedding phishing dialogs directly into legitimate wallet applications already installed on users\u2019 computers. Earlier this year, the MacSync infostealer<\/a> adopted this functionality. It infiltrates systems via ClickFix attacks<\/a>: users searching for software are lured to fake sites with fraudulent instructions to install the app by running commands in Terminal. This executes the infostealer, which scrapes passwords and cookies saved in Chrome, chats from popular messengers, and data from browser-based crypto-wallet extensions.<\/p>\n
But the most interesting part is what happens next. If the victim already has a legitimate Trezor or Ledger app installed, the infostealer downloads additional modules and\u2026 swaps out fragments of the app with its own trojanized code. The malware then re-signs the modified file so that after these \u201cfixes\u201d are made, Gatekeeper (a built-in protection mechanism in macOS) allows the application to run without an additional permission request from the user. While this trick doesn\u2019t always work, it\u2019s effective for simpler apps built on the popular Electron framework<\/a>.<\/p>\n
![\"The](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2026\/04\/27201530\/ios-macos-fake-crypto-apps-05.jpg\")
<\/a>The trojanized app prompts the user for the seed phrase of their wallet<\/p><\/div>\n
When the trojanized app is opened, it fakes an error and initiates a \u201crecovery process\u201d, prompting the user for their wallet seed phrase.<\/p>\n
Besides MacSync, the developers behind other popular macOS infostealers have adopted this same trojanization approach. We previously detailed a similar mechanism used to compromise Exodus and Bitcoin-Qt wallets<\/a>.<\/p>\n
How to keep your crypto assets safe<\/h2>\n
Time and again, attackers have proved that no gadget is truly invincible. With so many developers and cryptocurrency users preferring macOS and iOS, threat actors have designed and deployed industrial-scale attacks for both platforms. Staying safe requires in-depth defense backed by skepticism and vigilance.<\/p>\n
- \n
- Download apps only from trusted sources: either the developer\u2019s official website or their App Store page. Since malware can slip even into official stores, always verify the app\u2019s publisher.<\/li>\n
- Check the app\u2019s rating, publication date, and download counter.<\/li>\n
- Read the reviews \u2014 especially the negative ones. Sort reviews by date to evaluate the latest version. Attackers often start with a perfectly innocent app that earns high ratings before introducing malicious functionality in a later update.<\/li>\n
- Never copy and paste commands into your Terminal unless you\u2019re 100% certain what they do. These attacks have become very popular lately, often disguised as installation steps for AI apps<\/a> like Claude Code or OpenClaw.<\/li>\n
- Use a comprehensive security system on all your computers and smartphones. We recommend Kaspersky Premium<\/a>. This goes a long way to mitigate the risk of visiting phishing sites or installing malicious apps.<\/li>\n
- Never enter your seed phrase into a hardware wallet app, on a website, or in a chat. In every scenario, whether migrating to a new wallet, reinstalling apps, or recovering a wallet, the seed phrase should be entered exclusively on the hardware device itself<\/strong> \u2014 never in a mobile or desktop app.<\/li>\n
- Always verify the recipient\u2019s address on the hardware wallet\u2019s screen to prevent attacks involving address swapping.<\/li>\n
- Store your seed phrases in the most secure way possible, such as on a metal plate<\/a> or in a sealed envelope in a safe deposit box. It\u2019s best not to store them on a computer at all, but if that\u2019s your only option, use a secure, encrypted vault like Kaspersky Password Manager<\/a>.<\/li>\n<\/ul>\n
Still believe that Apple devices are bulletproof? Think again as you read the following:<\/p>\n
- \n
- The iPhone \u2014 invincible no more: a look at DarkSword and Coruna<\/a><\/li>\n
- Predator vs. iPhone: the art of invisible surveillance<\/a><\/li>\n
- Are your Bluetooth headphones spying on you?<\/a><\/li>\n
- AirBorne: Attacks on Apple devices through vulnerabilities in AirPlay<\/a><\/li>\n
- Banshee: A stealer targeting macOS users<\/a><\/li>\n<\/ul>\n<\/blockquote>\n\n","protected":false},"excerpt":{"rendered":"
We’ve discovered over two dozen phishing apps mimicking popular crypto wallets right in the official App Store. Here’s a breakdown of the new waves of attacks targeting iPhone and Mac users and their crypto holdings.<\/p>\n","protected":false},"author":2749,"featured_media":25502,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[14,2829,2641,1505,2799,1061,1328,695,2151,521,692],"class_list":{"0":"post-25495","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-apple","9":"tag-clickfix","10":"tag-crypto-wallets","11":"tag-cryptocurrencies","12":"tag-infostealers","13":"tag-ios","14":"tag-macos","15":"tag-scam","16":"tag-stealers","17":"tag-threats","18":"tag-trojans"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/ios-macos-fake-crypto-apps\/25495\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/ios-macos-fake-crypto-apps\/30449\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ios-macos-fake-crypto-apps\/30293\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/ios-macos-fake-crypto-apps\/41766\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ios-macos-fake-crypto-apps\/55665\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/ios-macos-fake-crypto-apps\/30602\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ios-macos-fake-crypto-apps\/36180\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ios-macos-fake-crypto-apps\/35831\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/ios\/","name":"iOS"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2749"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=25495"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25495\/revisions"}],"predecessor-version":[{"id":25503,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25495\/revisions\/25503"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/25502"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=25495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=25495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=25495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Predator vs. iPhone: the art of invisible surveillance<\/a><\/li>\n
- Use a comprehensive security system on all your computers and smartphones. We recommend Kaspersky Premium<\/a>. This goes a long way to mitigate the risk of visiting phishing sites or installing malicious apps.<\/li>\n