HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

Crypto‑Stealing Wallet Apps Infiltrate Apple App Store in China, Targeting Users with Phishing and Provisioning Profile Abuse

A set of 26 counterfeit cryptocurrency wallet apps slipped into Apple’s App Store for China, using typosquatting and fake branding to lure users. Once installed, the apps redirected victims to phishing sites and abused iOS provisioning profiles to exfiltrate seed phrases, enabling full wallet takeover. The campaign highlights a supply‑chain risk for any organization that permits mobile wallet usage.

🛡️ LiveThreat™ Intelligence · 📅 April 21, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Crypto‑Stealing Wallet Apps Infiltrate Apple App Store in China, Targeting Users with Phishing and Provisioning‑Profile Abuse

What Happened – A campaign of 26 malicious iOS apps masquerading as popular cryptocurrency wallets (e.g., MetaMask, Coinbase, Trust Wallet) appeared in Apple’s App Store for China. The apps used typosquatting, fake branding, and were disguised as games or calculators to bypass local bans, then redirected victims to phishing pages and leveraged iOS provisioning profiles to sideload trojanized wallet binaries that harvested seed/recovery phrases.

Why It Matters for TPRM

  • Supply‑chain risk: Malicious apps can pass Apple’s vetting process, exposing downstream enterprises that allow employees to install “approved” mobile tools.
  • Credential theft: Harvested seed phrases enable complete wallet takeover, leading to irreversible financial loss.
  • Global spill‑over: Although the campaign focused on China, the malicious binaries have no geographic restrictions and could affect any user who installs them.

Who Is Affected – Financial services, fintech startups, cryptocurrency exchanges, and any organization that permits mobile wallet usage on employee devices; primarily users in China but potentially global.

Recommended Actions

  • Review and restrict the installation of third‑party mobile applications on corporate devices.
  • Enforce strict verification of app publishers (e.g., hash verification, official website links) before allowing downloads.
  • Update mobile device management (MDM) policies to block provisioning‑profile sideloading unless explicitly authorized.
  • Monitor for anomalous network traffic to known phishing domains associated with the FakeWallet campaign.

Technical Notes – Attack vector: typosquatted app listings → phishing redirects → provisioning‑profile abuse → credential exfiltration (RSA‑encrypted seed phrases). No CVEs disclosed; the abuse leverages legitimate iOS enterprise provisioning features. Data types stolen: cryptocurrency seed/recovery phrases, enabling full wallet compromise. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/chinas-apple-app-store-infiltrated-by-crypto-stealing-wallet-apps/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →