Phishing crypto-wallet clones in the App Store and other attacks on iOS and macOS crypto owners | Kaspersky official blog
Cybercriminals are targeting Apple iOS and macOS users with phishing crypto-wallet clone apps in the official App Store and trojanized legitimate macOS crypto wallet applications. Attackers create fake wallet apps mimicking popular wallets, which initially appear benign but then redirect users to phishing sites prompting installation of malicious apps via sideloading using enterprise provisioning profiles. On macOS, attackers trojanize legitimate wallet apps to prompt users for seed phrases under false pretenses. These tactics aim to steal seed phrases and gain full access to victims' cryptocurrency holdings. The attacks exploit Apple Developer Enterprise Program features to bypass App Store protections. Users are advised to only download apps from trusted sources, never enter seed phrases outside hardware wallets, and be cautious with terminal commands and app reviews.
AI Analysis
Technical Summary
This threat involves multiple attack vectors targeting Apple device users managing cryptocurrency. First, phishing apps mimicking popular crypto wallets are distributed via the official App Store, particularly in regions like China where official wallets are restricted. These apps appear legitimate but redirect users to phishing sites that prompt installation of malicious apps through sideloading enabled by enterprise provisioning profiles, bypassing App Store verification. The malicious apps are often trojanized versions of legitimate wallets that request seed phrases, which are then exfiltrated to attackers. On macOS, infostealers like MacSync trojanize legitimate wallet applications by injecting malicious code and re-signing them to bypass Gatekeeper, prompting users for seed phrases under the guise of recovery processes. The attackers exploit the Apple Developer Enterprise Program to distribute malware outside the App Store. The overall attack chain relies heavily on social engineering and abuse of Apple's app distribution mechanisms.
Potential Impact
Successful exploitation leads to theft of cryptocurrency by capturing wallet seed phrases, granting attackers full control over victims' crypto assets. The phishing apps themselves do not directly steal credentials but serve as a trust-building vector to deliver trojanized apps. The trojanized macOS apps can deceive users into revealing sensitive wallet recovery information. These attacks undermine the security assumptions of Apple devices and official app distribution channels, potentially causing significant financial loss to victims. There is no indication of broader system compromise beyond crypto wallet theft.
Mitigation Recommendations
No official patch or fix is applicable as this is a social engineering and malware distribution threat rather than a software vulnerability. Users should only download crypto wallet apps from verified official sources and carefully verify app publisher details, ratings, and reviews. Never enter seed phrases into any app or website; seed phrases should only be entered directly on hardware wallets. Avoid installing configuration profiles or sideloading apps outside the App Store unless absolutely certain of their legitimacy. Do not execute untrusted commands in Terminal. Employ comprehensive security solutions to detect phishing and malware. These mitigations align with vendor guidance from Kaspersky, which emphasizes vigilance and cautious app installation practices.
Phishing crypto-wallet clones in the App Store and other attacks on iOS and macOS crypto owners | Kaspersky official blog
Description
Cybercriminals are targeting Apple iOS and macOS users with phishing crypto-wallet clone apps in the official App Store and trojanized legitimate macOS crypto wallet applications. Attackers create fake wallet apps mimicking popular wallets, which initially appear benign but then redirect users to phishing sites prompting installation of malicious apps via sideloading using enterprise provisioning profiles. On macOS, attackers trojanize legitimate wallet apps to prompt users for seed phrases under false pretenses. These tactics aim to steal seed phrases and gain full access to victims' cryptocurrency holdings. The attacks exploit Apple Developer Enterprise Program features to bypass App Store protections. Users are advised to only download apps from trusted sources, never enter seed phrases outside hardware wallets, and be cautious with terminal commands and app reviews.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves multiple attack vectors targeting Apple device users managing cryptocurrency. First, phishing apps mimicking popular crypto wallets are distributed via the official App Store, particularly in regions like China where official wallets are restricted. These apps appear legitimate but redirect users to phishing sites that prompt installation of malicious apps through sideloading enabled by enterprise provisioning profiles, bypassing App Store verification. The malicious apps are often trojanized versions of legitimate wallets that request seed phrases, which are then exfiltrated to attackers. On macOS, infostealers like MacSync trojanize legitimate wallet applications by injecting malicious code and re-signing them to bypass Gatekeeper, prompting users for seed phrases under the guise of recovery processes. The attackers exploit the Apple Developer Enterprise Program to distribute malware outside the App Store. The overall attack chain relies heavily on social engineering and abuse of Apple's app distribution mechanisms.
Potential Impact
Successful exploitation leads to theft of cryptocurrency by capturing wallet seed phrases, granting attackers full control over victims' crypto assets. The phishing apps themselves do not directly steal credentials but serve as a trust-building vector to deliver trojanized apps. The trojanized macOS apps can deceive users into revealing sensitive wallet recovery information. These attacks undermine the security assumptions of Apple devices and official app distribution channels, potentially causing significant financial loss to victims. There is no indication of broader system compromise beyond crypto wallet theft.
Mitigation Recommendations
No official patch or fix is applicable as this is a social engineering and malware distribution threat rather than a software vulnerability. Users should only download crypto wallet apps from verified official sources and carefully verify app publisher details, ratings, and reviews. Never enter seed phrases into any app or website; seed phrases should only be entered directly on hardware wallets. Avoid installing configuration profiles or sideloading apps outside the App Store unless absolutely certain of their legitimacy. Do not execute untrusted commands in Terminal. Employ comprehensive security solutions to detect phishing and malware. These mitigations align with vendor guidance from Kaspersky, which emphasizes vigilance and cautious app installation practices.
Technical Details
- Article Source
- {"url":"https://www.kaspersky.com/blog/ios-macos-fake-crypto-apps/55665/","fetched":true,"fetchedAt":"2026-04-27T16:18:46.635Z","wordCount":1902}
Threat ID: 69ef8c66ba26a39fba3fde0d
Added to database: 4/27/2026, 4:18:46 PM
Last enriched: 4/27/2026, 4:18:59 PM
Last updated: 4/28/2026, 1:47:40 AM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.