In March 2026, researchers identified over twenty phishing apps in the Apple App Store masquerading as popular crypto wallets like MetaMask and Ledger. These apps utilize typosquatting and functional placeholders to bypass store filters, eventually redirecting users to install trojanized versions via iOS provisioning profiles. The campaign specifically targets recovery phrases and private keys, with evidence suggesting it has been active since late 2025.
The technical execution involves sophisticated methods such as malicious library injection (dylib) and modifying React Native source code to hijack wallet creation and recovery screens. By substituting legitimate class methods with malicious versions, the attackers exfiltrate mnemonic phrases encrypted with RSA to remote C2 servers. The campaign, which shows links to the SparkKitty Trojan, primarily targets Chinese-speaking users but remains a global threat due to its ability to adapt to different system locales.
Top comments (0)