FakeWallet crypto stealer spreading through iOS apps in the App Store

In March 2026 researchers uncovered a coordinated FakeWallet campaign that published phishing apps in the Apple App Store (primarily targeting Chinese users) which redirect victims to malicious provisioning profiles or webviews to install trojanized crypto wallets; those implants scrape BIP-39 recovery phrases/private keys, encrypt and exfiltrate them to hardcoded C2 servers. The report provides implementation details (library injection, custom __hook sections, React Native tampering), example C2 URLs and hashes, additional Android instances, and ties to SparkKitty modules, warning of significant financial theft risk for affected users.