Cybersecurity researchers have uncovered a sophisticated global campaign leveraging malicious applications on both Apple’s App Store and the Android ecosystem, designed to pilfer cryptocurrency assets from unsuspecting users. Dubbed "FakeWallet" by Kaspersky, a collection of 26 illicit applications has been identified on the Apple App Store, masquerading as legitimate cryptocurrency wallets since at least fall 2025, with the express purpose of stealing recovery phrases and private keys. Simultaneously, a potent Android malware framework known as "MiningDropper" (also referred to as BeatBanker) has emerged, combining cryptocurrency mining capabilities with information theft, remote access, and banking malware, primarily targeting users in India, Latin America, Europe, and Asia. These dual threats highlight an escalating sophistication in mobile-based crypto theft, exploiting user trust in official app marketplaces and employing multi-layered deception techniques.
The "FakeWallet" campaign represents a significant escalation in mobile cryptocurrency fraud, distinguishing itself by its direct infiltration of Apple’s ostensibly secure App Store. For years, malicious actors attempting to target iOS users with crypto-stealing applications often resorted to abusing enterprise provisioning profiles or distributing apps via third-party websites. These methods typically required users to bypass Apple’s stringent security measures, often through social engineering tactics that persuaded them to install unverified applications. However, the FakeWallet operation bypassed these traditional hurdles, with the fraudulent apps being directly available for download, particularly for users with their Apple accounts configured for the China region. This direct availability lends a false sense of legitimacy, significantly increasing the potential victim pool.
Kaspersky researcher Sergey Puzan detailed the intricate modus operandi of FakeWallet. Upon launching these counterfeit applications, users are not greeted with a functional wallet interface. Instead, they are immediately redirected to browser pages meticulously designed to mimic the familiar aesthetics of the App Store. These deceptive pages then prompt users to download what are presented as "trojanized versions of legitimate wallets." The core functionality of these infected applications is sinister: they are engineered specifically to hijack critical recovery phrases (also known as seed phrases or mnemonic phrases) and private keys. These pieces of information are the sole access credentials to a user’s cryptocurrency holdings, and their compromise grants attackers complete control over the digital assets.
Among the legitimate wallets impersonated by the 26 FakeWallet apps are industry giants such as Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet. These wallets collectively represent billions of dollars in user assets and are trusted by millions globally. The sheer volume and popularity of the targeted wallets underscore the ambitious scope of the attackers. Following the disclosure by cybersecurity researchers, Apple has taken action, with many of these malicious applications subsequently removed from the App Store. Importantly, there is currently no evidence to suggest that these particular FakeWallet applications were distributed via the Google Play Store, indicating a specific focus on the iOS ecosystem for this particular campaign.
The attackers behind FakeWallet employed several cunning strategies to lure victims. Many of the malicious apps featured icons that were near-perfect replicas of their legitimate counterparts, creating a strong visual deception. However, a closer inspection often revealed subtle, intentional typos in the app names, such as "LeddgerNew" instead of "Ledger." These minor alterations were designed to evade automated detection systems while still appearing credible enough to trick hurried or less vigilant users. In other instances, the attackers adopted an even more deceptive approach: some apps bore names and icons entirely unrelated to cryptocurrency, functioning merely as placeholders. These seemingly innocuous apps, once launched, would direct users to download the official wallet app through external channels, falsely claiming that the legitimate application was "unavailable in the App Store" dueost to regulatory reasons. This tactic not only circumvents App Store scrutiny but also capitalizes on the often-complex regulatory landscape surrounding cryptocurrencies, making the explanation appear plausible to users.
Kaspersky’s investigation also unearthed several similar applications likely linked to the same threat actor. These apps, while not immediately deploying malicious features, mimicked benign services like games, calculators, or task planners. Their true purpose was revealed upon launch, as they would open a web browser link and then leverage enterprise provisioning profiles to install a wallet app directly onto the victim’s device. This method, while not new, demonstrates the attackers’ willingness to use multiple distribution vectors and their adaptability in exploiting different technical avenues to reach their targets.
The technical sophistication behind FakeWallet is notable. According to Puzan, the attackers developed a "wide variety of malicious modules, each tailored to a specific wallet." This bespoke approach suggests a dedicated and well-resourced operation rather than a generic, one-size-fits-all malware. In most observed cases, the malware was delivered through a malicious library injection, where harmful code was inserted into an otherwise functional or benign application framework. However, researchers also discovered builds where the app’s original source code had been directly modified, indicating a deeper level of compromise or development effort.
The ultimate objective of these elaborate infections is clear: to harvest mnemonic phrases from both "hot" (software-based) and "cold" (hardware-based) wallets, and then exfiltrate them to an external server controlled by the attackers. With these seed phrases, the operators gain complete, irreversible control over the victims’ cryptocurrency wallets, enabling them to drain all assets or initiate fraudulent transactions without the legitimate owner’s consent. The methods for capturing these crucial phrases include hooking into the code responsible for the screen where users typically enter their recovery phrase, thereby intercepting the input directly. Another prevalent technique involves serving a phishing page within the app that instructs the victim to enter their mnemonics as part of a seemingly legitimate "verification" step, effectively tricking them into self-compromising their security.
Researchers suspect a potential link between the FakeWallet campaign and the "SparkKitty trojan campaign" observed in July 2025. This attribution is based on several key similarities: some of the infected FakeWallet apps also contained a module designed to steal wallet recovery phrases using optical character recognition (OCR) technology, a technique previously associated with SparkKitty. Furthermore, both campaigns exhibit characteristics strongly suggesting they are the work of native Chinese speakers and specifically target cryptocurrency assets, pointing to a shared origin or operational overlap. Kaspersky warned that the FakeWallet campaign is "gaining momentum by employing new tactics, ranging from delivering payloads via phishing apps published in the App Store to embedding themselves into cold wallet apps and using sophisticated phishing notifications to trick users into revealing their mnemonics." This continuous evolution underscores the persistent and adaptable nature of these cybercriminal groups.
Adding another layer to the mobile malware threat landscape, the discovery of FakeWallet coincides with Cyble’s detailed analysis of "MiningDropper" (BeatBanker), a sophisticated Android malware delivery framework. MiningDropper is a multi-functional threat, integrating cryptocurrency mining capabilities with extensive information theft, remote access functionalities, and banking malware modules. The primary targets for MiningDropper are users in India, as well as across Latin America, Europe, and other parts of Asia, as part of a broader BTMOB RAT (Remote Access Trojan) campaign.
The distribution of MiningDropper relies on trojanized versions of legitimate or open-source Android applications, notably a modified version of the Lumolight project available on GitHub. Campaigns propagate this malware through fake websites meticulously crafted to impersonate trusted entities, such as banking institutions and regional transport offices. These fake portals are designed to trick users into downloading the malicious application, often under the guise of an official update or a necessary utility. Once launched on an unsuspecting victim’s device, MiningDropper initiates a complex multi-stage sequence. This sequence involves extracting the embedded cryptocurrency miner and additional trojan payloads from an encrypted assets archive contained within the initial package.
Cyble’s technical analysis reveals MiningDropper’s highly advanced architecture. It employs a "multi-stage payload delivery architecture that combines XOR-based native obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques." This layered approach significantly complicates static analysis, making it exceptionally difficult for security researchers and automated systems to detect and dissect the malware. XOR-based obfuscation scrambles the code to hide its true nature, while AES encryption protects the payloads until they are ready to be deployed. Dynamic DEX loading allows the malware to load executable code components only when needed, further hindering detection. Anti-emulation techniques are designed to identify and evade virtual environments used by security researchers, ensuring the malware only fully deploys on real user devices.
The modular design of MiningDropper is a critical aspect of its efficacy and adaptability. Cyble notes that this design allows threat actors to "reuse the same distribution and installation framework across hundreds of samples while adapting the final monetization objective to operational needs." This flexibility means that the core dropper framework can be utilized to deliver various final payloads—be it a cryptocurrency miner to secretly generate revenue for the attackers, an information stealer to exfiltrate sensitive data, a remote access tool for full device control, or banking malware to drain financial accounts. Such a versatile framework offers cybercriminals a powerful and adaptable weapon against a broad spectrum of mobile users.
The emergence of campaigns like FakeWallet and MiningDropper underscores a critical and evolving threat landscape in mobile cybersecurity, particularly concerning digital assets. For users, the implications are severe: potential financial ruin from stolen cryptocurrency, compromise of personal data, and a general erosion of trust in app store ecosystems. Apple and Google, despite their substantial investments in security, face an ongoing battle against increasingly sophisticated attackers who find new ways to bypass detection. The FakeWallet incident, specifically, raises questions about the efficacy of App Store review processes, particularly in regions where threat actors might exploit linguistic or cultural nuances.
To mitigate these threats, both platforms and users must remain vigilant. App store operators must continually refine their detection mechanisms, leveraging AI and machine learning to identify subtle impersonations and suspicious code behaviors. For users, the primary defense lies in extreme caution. Always verify the developer of an app, check reviews (though these can be faked), and scrutinize app permissions. Never enter sensitive information like recovery phrases or private keys into an application unless absolutely certain of its legitimacy and necessity. Hardware wallets offer an additional layer of security for significant crypto holdings, as they keep private keys offline. Regular software updates, using strong, unique passwords, and enabling two-factor authentication are also foundational cybersecurity practices that extend to protecting digital assets.
These recent discoveries by Kaspersky and Cyble serve as a stark reminder that the digital frontier of finance remains a prime target for cybercriminals. As the cryptocurrency market matures and attracts more users, the incentive for malicious actors to develop advanced methods of theft will only grow. The ongoing cat-and-mouse game between cybersecurity defenders and attackers demands continuous innovation, vigilance, and user education to safeguard the integrity of digital assets and the trust placed in mobile platforms.