"Install it and your Bitcoin will be stolen"...Apple App Store uncovers 26 fake wallet apps

▲ iPhone, cryptocurrency hacking/AI generated image

A large-scale cryptocurrency hacking attempt targeting the assets of iPhone users has been revealed, rapidly heightening tension in the security industry. With numerous fake cryptocurrency wallet apps disguised as popular services being uncovered, it is being evaluated that the vulnerabilities of the iOS ecosystem, previously considered relatively safe, have been directly exposed.

According to the virtual asset specialized media CryptoPotato on April 23rd (local time), global cybersecurity company Kaspersky recently identified 26 fraudulent applications designed to steal user assets from Apple's App Store. These apps were designed to mimic the names and designs of widely used cryptocurrency wallets such as MetaMask, Ledger, and Coinbase, leading users to mistake them for legitimate services. Wallets supporting not only Bitcoin (BTC) and Ethereum (ETH) but also XRP were included in the attack targets, and a method of luring users to elaborately crafted phishing pages upon execution was confirmed.

To bypass Apple's security review, attackers initially disguised the apps as providing normal functions, such as calculator or to-do list management apps. However, after installation, they displayed a fake App Store screen to make users believe it was an official update, then induced them to install an additional wallet app containing malicious code. Kaspersky analyzed that Apple's enterprise developer tools were exploited in this process, and it was designed to induce the installation of a specific protocol, allowing malicious software to run outside the App Store.

This attack is believed to have started at least in the fall of 2025 and is linked to a malware distribution organization known as 'SparkleKitty'. While the primary targets were Chinese users, the malware itself has no geographical restrictions, making all iPhone users worldwide, including South Korea, potential victims. Following Kaspersky's report, Apple promptly removed the apps.

Security experts point out that the perception of iPhones being relatively safe has ironically led to a lowering of user vigilance. Sergey Puzan, a mobile malware expert at Kaspersky, explained that attackers can pay for and obtain developer accounts, then target all iOS devices exposed to phishing. At the same time, he raised the possibility of variant attacks using similar methods continuing to emerge. Recently, cases of fake hardware wallets distributed through online marketplaces stealing seed phrases have also been confirmed, indicating a trend of attack methods spreading across both online and offline environments.

The core of virtual asset security lies in fundamentally blocking app installations through unverified channels. Verifying downloads through official websites and checking developer information are emphasized as basic defensive measures. As stolen assets are virtually impossible to recover, the necessity of using cold storage, such as hardware wallets, is once again being highlighted. In an environment where cybercrime is becoming more sophisticated, technical security alone is clearly limited, and users' own thorough security habits are emerging as a key factor in protecting assets.

*Disclaimer: This article is for investment reference only, and we are not responsible for any investment losses based on it. The content should be interpreted for informational purposes only.*