PULSE NAME
FakeWallet crypto stealer spreading in the App Store
WHITE AlienVault 2026-04-20 Modified: 2026-04-20
75
IOCs
HIGH VOLUME
In March 2026, over twenty phishing applications were discovered in the Apple App Store masquerading as popular cryptocurrency wallets. These malicious apps redirect users to browser pages distributing trojanized versions of legitimate wallets engineered to steal recovery phrases and private keys. The campaign has been active since at least fall 2025, targeting major wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. The infected apps use iOS provisioning profiles for installation and employ library injection techniques to hijack legitimate code. The threat primarily targets users in China where official crypto wallet apps are regionally restricted. Some infected apps also contained SparkKitty modules, suggesting possible links between threat actors. The malware exfiltrates stolen credentials using RSA encryption to command-and-control servers.
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
FakeWallet SparkKitty
Indicators of Compromise (21 / 75 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0565364633b5acdd24a498a6a9ab4eca 2026-04-20
FileHash-MD5 114721fbc23ff9d188535bd736a0d30e 2026-04-20
FileHash-MD5 19733e0dfa804e3676f97eff90f2e467 2026-04-20
FileHash-MD5 31d25ddf2697b9e13ee883fff328b22f 2026-04-20
FileHash-MD5 4126348d783393dd85ede3468e48405d 2026-04-20
FileHash-MD5 417ae7f384c49de8c672aec86d5a2860 2026-04-20
FileHash-MD5 5bdae6cb778d002c806bb7ed130985f3 2026-04-20
FileHash-MD5 686989d97cf0d70346cbde2031207cbf 2026-04-20
FileHash-MD5 79fe383f0963ae741193989c12aefacc 2026-04-20
FileHash-MD5 7b4c61ff418f6fe80cf8adb474278311 2026-04-20
FileHash-MD5 7e678ca2f01dc853e85d13924e6c8a45 2026-04-20
FileHash-MD5 84c81a5e49291fe60eb9f5c1e2ac184b 2026-04-20
FileHash-MD5 8cbd34393d1d54a90be3c2b53d8fc17a 2026-04-20
FileHash-MD5 8d45a67b648d2cb46292ff5041a5dd44 2026-04-20
FileHash-MD5 8f51f82393c6467f9392fb9eb46f9301 2026-04-20
FileHash-MD5 b639f7f81a8faca9c62fd227fef5e28c 2026-04-20
FileHash-MD5 bafba3d044a4f674fc9edc67ef6b8a6b 2026-04-20
FileHash-MD5 be9e0d516f59ae57f5553bcc3cf296d1 2026-04-20
FileHash-MD5 d138a63436b4dd8c5a55d184e025ef99 2026-04-20
FileHash-MD5 d48b580718b0e1617afc1dec028e9059 2026-04-20
FileHash-MD5 fd0dc5d4bba740c7b4cc78c4b19a5840 2026-04-20