Malicious Crypto Wallet Apps Found on China’s Apple App Store
Security researchers uncovered 26 fraudulent cryptocurrency wallet applications on Apple’s App Store in China that mimic popular wallets like Metamask and Coinbase. The malicious apps aim to steal users’ wallet recovery or seed phrases to gain unauthorized access and drain their cryptocurrency funds.
What happened
A set of 26 malicious apps was discovered on Apple’s App Store specifically targeting users in China. These apps impersonate well-known cryptocurrency wallets, including Metamask, Coinbase, Trust Wallet, and OneKey. By masquerading as legitimate wallets, they trick users into submitting their recovery or seed phrases. Once obtained, attackers use these credentials to access the victims’ wallets and steal cryptocurrency assets. The apps managed to bypass Apple's review process and remain available for download.
Why it matters
The compromise highlights ongoing risks in mobile app ecosystems, especially within regions where threat actors target high-value assets such as cryptocurrencies. Apple users in China face increased exposure to scams involving fake wallet apps designed to steal sensitive recovery information. Cryptocurrency users generally rely on the secrecy of their seed phrases to secure access, making these attacks potentially devastating as they allow attackers complete control over victims’ funds. The incident underscores the challenges app marketplaces have in detecting sophisticated impersonation attacks.
What security teams should do
Security teams and end users should exercise caution when downloading cryptocurrency wallet apps, especially on regional app stores. It is important to verify the authenticity of wallet applications by checking publisher information and user reviews. Users who suspect they may have entered recovery phrases into malicious apps should immediately transfer their cryptocurrency assets to new wallets with fresh credentials. Organizations involved in mobile app security should continue to monitor app marketplaces for similar impersonation campaigns and improve vetting processes. Apple is expected to remove or remediate these apps following disclosure.
Key technical details
The malicious apps replicate interfaces of popular crypto wallets to deceive users during setup or recovery phases. Their primary method involves prompting users to input private recovery or seed phrases, which are then transmitted to the attackers. With these credentials, attackers can fully control victims’ wallets and transfer out all stored cryptocurrency. These apps appeared on the official Apple App Store in China, evading standard detection controls. The campaign targets multiple widely used wallets, increasing potential victim reach within the region.
Affected organizations/products
The fraudulent applications targeted users of popular cryptocurrency wallets such as Metamask, Coinbase, Trust Wallet, and OneKey within Apple's App Store in China. Users downloading wallet apps from this regional store are most at risk. The presence of 26 unique malicious apps suggests a coordinated effort to infiltrate the marketplace environment in the region.
Source attribution
