FakeWallet Apple App Store wallet-stealing apps
Malware Activity
Summary
Hide ▲
Show ▼
The FakeWallet app set turned the Apple App Store into a delivery channel for 26 malicious wallet lookalikes, putting crypto holders at risk of account takeover and theft. The apps impersonated brands such as Metamask, Coinbase, Trust Wallet, and OneKey, then pushed victims toward phishing pages and trojanized wallet installs. Users in China were the main target, but the design could scale beyond that market if the operators expand distribution.
Related Happenings
Android 17 expands platform security and privacy protections
Security Tool/Service
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
Campaign
First: 11.05.2026 18:15
Last: 11.05.2026 18:15
Sources 1
About this happening:
The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
CampaignAbout this happening: The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
Sqgame[.]net gaming platform hit by network compromise
Incident
First: 05.05.2026 18:00
Last: 05.05.2026 18:00
Sources 1
About this happening:
The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
Sqgame[.]net gaming platform hit by network compromise
IncidentAbout this happening: The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
AccountDumpling Google AppSheet Facebook phishing campaign
Campaign
First: 01.05.2026 21:09
Last: 01.05.2026 21:09
Sources 1
About this happening:
A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...
AccountDumpling Google AppSheet Facebook phishing campaign
CampaignAbout this happening: A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical Analysis
First: 24.04.2026 14:48
Last: 24.04.2026 14:48
Sources 1
How related:
"MiningDropper demonstrates a layered, modular Android malware architecture designed to make static analysis difficult while giving threat actors flexibility in final payload delivery. This design allows the threat actor to reuse the same distribution and installation framework across hundreds of samples while adapting the final monetization objective to operational needs."
About this happening:
**MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical AnalysisHow related: "MiningDropper demonstrates a layered, modular Android malware architecture designed to make static analysis difficult while giving threat actors flexibility in final payload delivery. This design allows the threat actor to reuse the same distribution and installation framework across hundreds of samples while adapting the final monetization objective to operational needs."
About this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
Timeline
-
21.04.2026 00:52 2 articles · 1mo ago
FakeWallet App Store wallet-stealer disclosure
Initial DisclosureKaspersky identified FakeWallet, a campaign of 26 malicious Apple App Store apps that impersonated Metamask, Coinbase, Trust Wallet, and OneKey to steal recovery or seed phrases and drain cryptocurrency assets from users in China; the apps used fake branding, typosquatting, phishing pages, and iOS provisioning profiles, and Apple removed all 26 apps after responsible disclosure.
Show sources
- China's Apple App Store infiltrated by crypto-stealing wallet apps — www.bleepingcomputer.com — 21.04.2026 00:52
- 26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases — thehackernews.com — 24.04.2026 14:48