Security researchers have identified a group of fraudulent cryptocurrency applications in Apple’s Chinese App Store that were designed to impersonate legitimate wallet services and steal user data.
According to findings from cybersecurity firm Kaspersky, at least 26 phishing apps were discovered posing as widely used crypto wallet platforms. The applications were presented as official tools, using names, branding, and interface designs that closely resembled trusted services.
Researchers stated that the campaign exploited a gap in the Chinese app ecosystem, where many official cryptocurrency apps are unavailable due to regional restrictions. This created conditions in which users searching for wallet services were more likely to encounter and download fraudulent alternatives.
The identified apps were distributed through Apple’s local App Store, indicating that they had passed initial review processes. Analysts noted that such apps can avoid detection by limiting malicious activity during review or by using external servers to activate harmful functions after installation.
The primary purpose of the apps was to collect sensitive information, including wallet credentials and private keys. Once obtained, this data could be used to access and transfer funds from victims’ cryptocurrency accounts.
Security researchers have previously documented similar campaigns across mobile platforms. Fake trading and wallet apps have been used in broader fraud operations, often relying on legitimate app marketplaces to build user trust.
The use of impersonation techniques remains a central method in these campaigns. Fraudulent apps typically replicate branding elements such as logos, app descriptions, and user interfaces to appear authentic. In some cases, attackers also use fabricated reviews and ratings to increase visibility and credibility.
Apple has previously removed large numbers of apps from its Chinese App Store following regulatory and security concerns. The platform operates under local requirements that differ from other regions, including restrictions on certain categories of software.
The report did not specify how many users may have downloaded the identified applications or whether any financial losses were confirmed. It also did not detail how long the apps remained available before being detected.
Researchers stated that the campaign reflects ongoing activity targeting cryptocurrency users, with attackers adapting to regional platform conditions and distribution channels. Investigations into the scope of the activity and the operators behind the apps are ongoing.