Malicious Apps Targeting Crypto Wallets Found in China's App Store
AI-generated from multiple sources. Verify before acting on this reporting.
BEIJING (AP) — A coordinated campaign involving 26 malicious applications impersonating popular cryptocurrency wallets has infiltrated China's Apple App Store, posing a significant threat to digital asset holders. The operation, linked to the SparkKitty threat actor group, aims to steal recovery phrases and drain cryptocurrency assets from unsuspecting users.
The malicious apps were discovered on April 20, 2026, after security researchers identified their presence within the store. Unlike legitimate wallet applications, these programs were disguised as games or calculator tools to bypass standard app store restrictions and evade detection. Once installed, the applications prompt users to enter their recovery or seed phrases under the guise of account verification or backup procedures. This information is then transmitted to remote servers controlled by the attackers, granting them full access to the victims' cryptocurrency holdings.
The SparkKitty group is known for its involvement in the FakeWallet campaign previously identified by cybersecurity firm Kaspersky. This latest operation represents an escalation in tactics, targeting the Chinese market specifically through Apple's distribution platform. The apps mimic the branding and functionality of well-known wallet providers, making them difficult for average users to distinguish from legitimate software.
Apple has not yet issued a public statement regarding the removal of the applications. The discovery highlights the growing sophistication of cybercriminal groups targeting the cryptocurrency sector, particularly in regions with high adoption rates. Security experts warn that users should exercise extreme caution when downloading any application requesting sensitive financial information, even if it appears to be available through official channels.
The incident raises questions about the effectiveness of current app store vetting processes in preventing sophisticated malware from reaching end users. While Apple maintains strict guidelines for application developers, the use of disguises such as games and utility apps has proven effective in circumventing these measures. The 26 identified applications represent only the confirmed cases, and security researchers continue to monitor for additional variants that may have already been distributed.
Victims of the attack are advised to immediately revoke access to any compromised accounts and transfer remaining assets to secure wallets. The cryptocurrency community remains vigilant as investigators work to trace the financial trails of the stolen funds. The broader implications for digital security in the region remain unclear as authorities assess the full scope of the operation.