Fake Crypto Apps – How Malicious Wallets on the App Store and Beyond Are Draining Accounts in 2026
You downloaded the app from the official App Store. It looked exactly right – correct logo, correct name, correct screenshots. You entered your seed phrase to restore your wallet.
Your crypto was gone within minutes.
This is not a hypothetical. Between April 7 and April 13, 2026, a fake Ledger Live app that had passed Apple’s review process and appeared in the official App Store drained $9.5 million from 50 victims. The app was eventually removed – but not before emptying accounts across Bitcoin, Ethereum, Solana, Tron, and Ripple.
If it can happen on the App Store, it can happen anywhere. Here is exactly how these attacks work and what you need to check before installing any crypto app.
The Official Store Problem
Both Apple and Google actively review apps before listing them. Apple’s review process is widely considered the more rigorous of the two. Neither is foolproof.
In March 2026, Kaspersky researchers uncovered more than 20 phishing apps in the Apple App Store masquerading as popular crypto wallets. The campaign had been active since at least fall 2025 – flying under the radar for months before discovery.
The 26 apps collectively dubbed FakeWallet mimicked MetaMask, Coinbase, Ledger, Trust Wallet, TokenPocket, imToken and Bitpie. Many have since been taken down by Apple following disclosure.
The mechanism that allowed them to pass review is worth understanding. The fraudulent apps didn’t look suspicious at first – they offered random features like games and calculators to pass Apple’s initial review process. Once downloaded, the app tricks users into installing a developer profile, which is the key move that enables the malicious activity.
The fake apps did not look malicious on day one. They were designed to appear harmless during review and activate their malicious functionality afterward – a technique sophisticated enough to fool one of the world’s most scrutinized app review processes.
Known fake app names included “LeddgerNew”, “TrustWalet”, “Coinbsae”, “imTokenPlus”, “BitpiePro” and “TokenPocketX” – subtle typos designed to slip past casual inspection while appearing in search results for the real app names.
How the Attack Works
Fake crypto wallet apps use one of two primary attack methods:
Method 1 – Seed phrase harvesting
The app presents a wallet setup or restore screen that looks identical to the legitimate app. When you enter your 12 or 24-word seed phrase to “restore” your wallet, those words are immediately transmitted to the attacker’s server. The attacker then uses your seed phrase to access your real wallet – on any device, on any chain – and transfers everything out.
This is the most common and most devastating method. Your seed phrase is the master key to everything in your wallet. Any app that asks for it is either the legitimate wallet you are deliberately importing into, or a thief.
Method 2 – Malicious developer profile installation
Once someone downloads one of these apps, it tricks them into installing a developer profile on their iPhone. This acts as an entry point for installing additional malware.
Developer profiles on iOS are intended for legitimate software testing. When a malicious app convinces you to install one, it gains permissions that bypass App Store restrictions – allowing it to monitor your activity, intercept clipboard content (where copied wallet addresses and seed phrases often appear), and install additional components.
Never install a developer profile prompted by any app unless you are a software developer who fully understands what you are doing.
The Bigger Threat – Sideloaded Apps
Official app stores at least attempt to vet what they list. Malicious apps that appear there represent failures of a security process that does catch the majority of threats.
Sideloaded apps – apps installed from sources outside the official Google Play Store, Apple App Store, or Samsung Galaxy Store – have no vetting whatsoever. Anyone can create an APK file (Android’s app format) and distribute it via a website, Telegram channel, Discord server, or direct download link. There is no review, no identity verification, no security check.
This is where the majority of fake crypto app attacks actually happen.
The typical delivery methods for sideloaded malicious apps:
Telegram and Discord links – a message in a crypto community channel announces a “beta version” of a wallet, an “exclusive trading tool,” or a “DeFi dashboard” not yet available on official stores. The link downloads an APK directly.
Fake project websites – a site built to look like the official MetaMask or Ledger website offers a direct download rather than redirecting to the App Store. The URL is slightly different from the real one – metamask-app.io instead of metamask.io for example.
Search engine results and ads – attackers purchase Google ads for terms like “download MetaMask Android” or “Ledger Live APK.” The ad leads to a convincing fake site with a malicious download.
“Cracked” or “modified” wallet apps – forums and Telegram channels sometimes offer modified versions of legitimate wallets claiming extra features, no fees, or higher earning rates. These are always malicious.
The Android operating system allows sideloading by default with a single settings toggle. iOS makes it significantly harder – but not impossible, particularly in regions where official apps are unavailable. The fake wallet campaign specifically targeted Chinese users because official versions of popular wallet apps are not available in the Chinese iOS App Store – that gap creates demand that fake apps fill.
If you are in a region where a legitimate crypto app is unavailable through official channels, the risk of encountering a fake version is significantly higher. In this situation, download only from the official project’s own website and verify the download link independently.
How to Verify You Have the Real App
Check the developer name, not just the app name
In both the App Store and Google Play, every app is published by a developer account. The legitimate MetaMask is published by ConsenSys. The legitimate Ledger Live is published by Ledger SAS. The legitimate Coinbase Wallet is published by Coinbase, Inc.
Fake apps often have developer names that are slightly wrong – “Consensys LLC,” “Ledger Technologies,” “Coinbase Group.” Always check the developer name against the official project’s website before downloading.
Check the number of downloads and review history
Legitimate wallets used by millions of people have millions of downloads and years of review history. A MetaMask app with 500 downloads and reviews from the last two weeks is not MetaMask. Check the first review date – if the app appeared recently, be extremely cautious regardless of how it looks.
Go to the official website first
Never search for a crypto app in an app store and download the first result. Go to the official project website – metamask.io, ledger.com, coinbase.com – and follow their official download link from there. The link on the official site takes you directly to the verified listing.
Never enter your seed phrase in a newly downloaded app without verification
If you are restoring an existing wallet, you will need to enter your seed phrase. Before doing so, verify the app is legitimate using every check above. A seed phrase entered into a fake app is immediately compromised – there is no recovering from it.
On Android – check the certificate fingerprint
MetaMask’s official Android app signs every release with the same SHA-256 certificate fingerprint, publicly documented in its SECURITY.md on GitHub. A fake app may display “MetaMask” in its title and icon but carry a different fingerprint – detectable using Android’s native settings: Settings → Apps → MetaMask → App Info → Certificate.
This check takes under a minute and is definitive. If the fingerprint does not match the official documentation, the app is fake.
The Sideloading Red Flags
Never install a crypto app from these sources regardless of how legitimate they appear:
- Direct APK download links in Telegram or Discord
- Any website that is not the official project domain
- Links sent via DM from anyone – even accounts you follow
- “Beta versions” or “exclusive tools” not available on official stores
- Modified or “cracked” versions claiming extra features
- Any source that requires you to enable “install from unknown sources” in Android settings
Enabling “install from unknown sources” bypasses every security protection Android provides. It should never be enabled for crypto apps.
If You Have Already Installed a Suspicious App
If you have not entered your seed phrase: Delete the app immediately. Run a security scan if available. Monitor your wallet for any unexpected activity.
If you entered your seed phrase: Act immediately – every second matters.
- On a completely separate, clean device create a brand new wallet
- Transfer all assets from the compromised wallet to the new wallet as fast as possible – the attacker may not have acted yet
- Never use the compromised wallet again
- Consider all accounts that used the same seed phrase as compromised – move everything
There is no way to “change” a seed phrase. A compromised seed phrase means a permanently compromised wallet. The only solution is a completely fresh wallet with a new seed phrase generated on a clean device.
The Hardware Wallet Difference
Hardware wallets – Ledger and Trezor – keep your private keys offline on a physical device. Even if you install a malicious app on your phone, it cannot access the keys stored on a hardware wallet without physical interaction with the device.
This does not make hardware wallets immune to fake app attacks – a malicious app could still present a fake transaction for you to confirm on the device. But it eliminates the seed phrase harvesting attack entirely, because your seed phrase is generated on the hardware device and never enters a phone or computer.
If you hold significant crypto, a hardware wallet is the most impactful security step you can take.
Signal or Noise? 🔴 Noise – and an actively dangerous one. Fake crypto apps are not a theoretical threat. $9.5 million was drained through a single fake Ledger app in one week in April 2026 – from the official App Store. The threat is real, current, and specifically designed to target people who think they are doing the right thing by using official channels. The defense is verification, not trust.
📖 Related Articles
