Kaspersky researchers discovered 26 phishing apps in the Apple App Store impersonating popular crypto wallets including MetaMask, Ledger, Trust Wallet, and Coinbase. Once launched, these apps redirect users to fake App Store pages that distribute trojanized wallet versions via iOS enterprise provisioning profiles. The malicious modules use dylib injection or source code modification to hijack recovery phrase entry screens, encrypt captured mnemonics with RSA/PKCS#1, and exfiltrate them to C2 servers. Cold wallet apps like Ledger are targeted via sophisticated phishing overlays with mnemonic autocomplete. The campaign, active since at least fall 2025, primarily targets Chinese users but has no built-in regional restrictions. Attribution evidence links the threat actors to the SparkKitty Trojan campaign. Indicators of compromise including file hashes, malicious URLs, and C2 addresses are provided.
Sort: