Blind faith that “If it’s on the App Store, it’s safe.” He has just suffered a serious setback; it is advisable strengthen the security of your iPhoneA digital fraud campaign has managed to infiltrate Apple's official store with applications that masquerade as cryptocurrency wallets, capable of stealing access keys to users' funds.
The investigation, carried out by Kaspersky's Threat Research team, has uncovered at least 26 fraudulent cryptocurrency apps on the App StoreThese scams, active since late 2025 and linked to actors associated with SparkKitty, aim to deceive iPhone users in any country, including Europe and Spain, like others. imposters in the App Storeand seize their digital assets.
A silent campaign within the App Store
According to data collected by Kaspersky, each of the detected applications It impersonated well-known cryptocurrency walletscopying icons, names and general appearance to go unnoticed during Apple's review and by the users themselves.
The affected platforms include MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken and Bitpie, both in its hot wallet version and in combination with hardware devices considered more secure, as in the case of Ledger.
The applications were initially aimed at a specific audience, but They had no geographical restrictionsIn other words, anyone with an iPhone who came across one of these apps in the App Store—whether in Spain, another European country, or Latin America—could become a potential victim.
Kaspersky claims that all cases were reported to AppleBut the campaign had managed to operate for months in an environment that, in theory, should act as a first barrier against malware.
How these fake cryptocurrency apps deceive users
The trick wasn't just posting a crude copy of a crypto wallet. The developers behind the campaign designed a multi-phase attack processdesigned both to bypass App Store controls and to lower the user's defenses.
At first, the apps seemed harmless. Many included "Facade" functions such as simple games, calculators, or to-do listswhich gave an appearance of normality. Upon opening the app, nothing directly indicated that it was an attempted robbery.
The problem started when the application redirected the user to a fake Apple page It mimicked the official App Store. The design, text, and buttons sought to replicate Apple's aesthetic, making it seem like a natural extension of the iOS environment.
That fake page invited the user to download a “full version”, “updated” or “special” version of the walletsupposedly necessary to manage their cryptocurrencies normally. To someone not used to being suspicious, the process might have seemed like a legitimate update.
The key role of the “developer profile” in fraud
The most delicate element of the attack is that it is not based on exploiting a technical vulnerability of the iPhone, but on take advantage of legitimate functions of the system itselfdesigned for businesses and developers.
The page that mimicked the App Store asked the user to install a “developer profile” or business profile on the device. This type of profile is commonly used in corporate environments to distribute internal applications outside of the official store.
In the right context, a company employee can indeed receive clear instructions to install one of these profiles. But in the hands of cybercriminals, the mechanism becomes a gateway for apps that don't go through the usual filters from the App Store.
Once the victim accepted the profile, the iPhone was authorized to Installing external applications without such visible warningsIt is precisely at this point that the real malicious application came into play: a supposed cryptocurrency wallet that, in reality, was a modified version with an integrated Trojan.
A Trojan designed to empty crypto wallets
The app downloaded after accepting the developer profile impersonated the chosen legitimate wallet (for example, MetaMask or Ledger Wallet), but it incorporated malicious code tailored to each serviceThe primary objective: to steal the seed phrases and any information that would allow them to take control of the wallet, just as would happen with a fake guide that installs malware previously detected.
Brianda hot wallets —internet-connected wallets, such as MetaMask, Trust Wallet, or Coinbase Wallet— the malware was programmed to intercept the wallet creation or recovery screenWhen the user entered their recovery phrase, the application captured it and sent it to the attackers.
Once someone obtains that seed phrase, they have the ability to Restore the wallet on any other device and move all the funds without the owner being able to do virtually anything to prevent it. In the crypto ecosystem, these transactions cannot be reversed like a traditional bank transfer.
With the cold wallets Or cold wallets, the approach was different. Services like Ledger combine a physical device—which stores private keys offline—with a mobile app that acts only as an interface. A legitimate Ledger application should never ask for the seed phrase. once the device is configured.
The fake versions, on the other hand, relied on techniques of direct phishingThey displayed messages encouraging the user to enter their recovery phrase to "verify," "sync," or "restore" the device. If the user fell for the trap, the supposed extra layer of security of the cold wallet was completely nullified.
A global problem that also affects users in Spain and Europe
Although Kaspersky's original report does not focus on a specific country, the company insists that There were no regional limitations in the distribution of these fake apps. This means that any European user who downloaded a crypto wallet from the App Store could have encountered one of these manipulated applications.
In Spain, the use of cryptocurrency self-custody applications It has grown significantly in recent years, in parallel with the expansion of investment platforms and the interest in digital assets. Managing crypto funds from a mobile device, without traditional intermediaries, is becoming increasingly common.
This change in habits has a less pleasant side: Mobile phones become a priority target for attackersIf a European user's main wallet is on an iPhone, simply compromising the app is enough to steal the entire balance associated with their credentials.
The case uncovered by Kaspersky reinforces the idea that it is no longer enough to simply rely on an app appearing in the official store. Cybercriminals are learning to operate within “legitimate” channels.using corporate or development mechanisms to circumvent blockages.
For European regulators and bodies that closely monitor the evolution of the crypto market, campaigns of this type bring to the table new challenges in consumer protection, supervision of financial applications and coordination with major technology platforms.
The psychological factor: trust in Apple and in the App Store itself
Beyond the technical aspect, the incident demonstrates how attackers They exploit the trust that many users place in iOS and Apple.For years it has been said that downloading only from the App Store was the best way to avoid problems, and in general it has been reasonable advice.
That's precisely why finding Fake cryptocurrency apps on the App Store This is especially worrying. For many people, simply seeing the download button in the official store acts as a seal of approval.
The scheme detected by Kaspersky goes a step further: it doesn't just slip in a malicious app, but combines a seemingly normal facade with a process of gradual deceptionFirst, an application that doesn't raise suspicion is presented, then a screen that resembles the App Store is shown, and finally, a developer profile is requested.
That trickle of small decisions—accepting an extra download, installing a profile, entering the recovery phrase—makes it the user does not perceive a clear point of “this is dangerous”As María Isabel Manjarrez, a researcher with Kaspersky's Global Research and Analysis Team, points out, these apps "function as a gateway" that leads the user, step by step, to fraud.
The result is that, even on a device considered secure like the iPhone, Ultimately, security depends on the user's judgment. when accepting or rejecting unusual permits and requests.
Security recommendations for iPhone users with cryptocurrencies
After discovering the campaign, Kaspersky has published a series of guidelines to help users to Protect your cryptocurrency wallets on iOSSeveral of these measures are also applicable to other operating systems and platforms.
The first recommendation is Be wary of any app that suddenly takes you to an external website to download another app or a supposed update. If a crypto wallet installed from the App Store redirects to a page that looks like the Apple store but isn't, the safest thing to do is close everything and check the source.
Secondly, it is emphasized that Do not install unknown developer profiles or configuration certificates On iPhones, this is only possible if the profiles come from a verified corporate environment with clear instructions. For individual users, these types of profiles are typically never needed to use wallets or financial apps.
It is also key to review carefully who is listed as the app developer Before downloading: the name must match the official wallet provider (for example, the company behind MetaMask or Ledger), and not a suspiciously similar variant. Reviews and ratings can provide clues, but they are not always definitive.
Another key point is to protect the seed phraseNo legitimate wallet should ask for this information unexpectedly, outside of the initial setup or recovery process. If an app, supposedly official, requests the seed phrase without a clear reason, it's best to stop immediately and check directly on the service's official website to see if this request is normal.
Finally, Kaspersky suggests considering the use of a specialized security solutionIt is capable of detecting phishing pages, blocking fraud attempts, and offering additional layers of protection for financial information. Among the options the company mentions is Kaspersky Premium, although others exist on the market. Security apps to protect your Mac that can provide similar defenses.
In an ecosystem where transactions are irreversible and the responsibility lies with the user, combine good security practices with additional protection tools It can make the difference between keeping a wallet safe and losing it completely.
This whole incident with the Fake cryptocurrency apps on the App Store It makes clear that attackers are no longer limited to suspicious links or shady websites: they are now also infiltrating official channels and exploiting legitimate system functions. For those who manage cryptocurrencies from their mobile devices, especially in countries where the use of these wallets is on the rise, such as Spain and the rest of Europe, being careful with every permission and every download has become almost as important as choosing the right investment.
