FakeWallet
FakeWallet is a cryptocurrency-stealing malware family/campaign targeting mobile wallet users, with documented Android and iOS variants. It is associated with trojanized or fake cryptocurrency wallet applications that impersonate services including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, Bitpie, OneKey, and Jaxx Liberty. ESET detects Android variants as Android/FakeWallet, Microsoft Defender Antivirus detects related activity as Trojan:AndroidOS/FakeWallet.A!MTB, and Kaspersky detects iOS variants as HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*.
Its primary objective is theft of cryptocurrency wallet secrets, especially recovery seed phrases/mnemonics and private keys, enabling theft of wallet funds. Reported infection and distribution vectors include more than 40 fake websites impersonating legitimate wallet providers, malicious apps distributed directly as APKs, iOS installation via configuration/provisioning profiles, phishing apps placed in Apple’s App Store, fake promotional banners, typosquatting, lookalike icons, and abuse of legitimate Chinese websites, Telegram groups, and Facebook groups to recruit distributors and drive victims to counterfeit wallet sites. In one campaign, operators offered affiliates a 50 percent share of stolen wallet contents.
On Android, observed samples included repackaged legitimate wallet apps with malicious code inserted where seed phrases were generated or imported, patched classes.dex files with hardcoded attacker servers, and fake wallet apps that simply prompted for recovery phrases and exfiltrated them. Some Android trojanized wallets preserved normal wallet functionality while covertly stealing seed phrases. On iOS, observed techniques included malicious dylib injection, injected load commands to force malicious library loading, method hooking, custom executable hook sections, and direct modification of React Native source code. Specific examples include a malicious library named libokexHook.dylib in a modified Coinbase app that hijacked RecoveryPhraseViewController.viewDidLoad to capture mnemonic words, Trust Wallet-targeting implants that intercepted wallet restoration and creation flows, and Ledger-focused variants that displayed fake verification pages and phishing prompts to trick users into entering seed phrases.
Exfiltration behavior included sending stolen seed phrases to attacker-controlled servers, in some cases over unsecured HTTP. In the iOS-focused campaign, captured mnemonics were concatenated, encrypted with RSA using PKCS #1 padding, Base64-encoded, and transmitted to C2 infrastructure along with metadata. Some variants hardcoded C2 addresses, while others loaded them from configuration files. Reported infrastructure included kkkhhhnnn[.]com, helllo2025[.]com, sxsfcc[.]com, iosfc[.]com, nmu8n[.]com, zmx6f[.]com, and api.dc1637[.]xyz. Additional artifacts mentioned in reporting include verify-wallet-status.json, verify-wallet-config.json, verify-wallet-pending.json, and phishing pages such as verify.html.
Targeting was primarily focused on cryptocurrency users in China, exploiting the unavailability of many official wallet apps in the Chinese App Store, though researchers noted no built-in regional restrictions in some malicious modules. ESET assessed one large-scale operation as likely run by a single attacker or criminal group. Researchers also assessed that the 2025-2026 iOS FakeWallet activity may be linked to the SparkKitty Trojan based on shared modules, Chinese-language artifacts, similar fake App Store-style distribution methods, and a common focus on cryptocurrency theft. Apple and Google removed multiple malicious apps after notification.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
...trick targets into downloading malicious wallet apps through iOS provisioning profiles, a technique evident in the SparkKitty campaign
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
6 techniques
Stealth
This string is encrypted using RSA with the PKCS #1 scheme. The encrypted data is then encoded into Base64.
More than two dozen Apple App Store apps spoofing well-known cryptocurrency wallets Coinbase, Metamask, OneKey, and Trust Wallet, have been leveraged to pilfer seed phrases
Then the clearPendingMnemonicJob function replaces the contents of the file with an empty JSON dictionary.
In most cases, the malware is delivered via a malicious library injection... To embed the malicious library, the hackers injected load commands into the main executable... then swaps out legitimate class methods for malicious versions.
Defense Impairment
1 technique
Defense Impairment
Credential Access
3 techniques
Credential Access
Included in the trojanized apps were additional code enabling the mnemonic phrase interception, encryption, and exfiltration.
Discovery
2 techniques
Discovery
Collection
2 techniques
Collection
Command and Control
1 technique
Command and Control
IOCs tracked for this family
74 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android trojan family listed in detections appendix, associated by name with fake wallet applications.
A trojanized mobile cryptocurrency wallet threat affecting Android and iOS. Attackers repackage legitimate wallet apps such as Trust Wallet, Bitpie, OneKey, MetaMask, imToken, Coinbase Wallet, and TokenPocket, inject malicious code, and exfiltrate victims’ wallet seed phrases to attacker-controlled servers. Some variants transmit the seed phrase over unsecured HTTP.
A crypto-wallet trojan campaign distributed via phishing apps in the Apple App Store and phishing sites. It trojanizes legitimate wallet apps, injects malicious libraries or modifies app code, steals recovery phrases/private keys, encrypts the data, and exfiltrates it to attacker-controlled C2 servers.
A crypto-stealing iOS/Android trojan campaign distributed via phishing apps and phishing pages that masquerade as legitimate wallet apps. It installs trojanized wallet versions, injects malicious libraries or modified code, captures recovery phrases/private keys, encrypts the stolen data, and exfiltrates it to attacker-controlled C2 servers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.