Security Week 2617: Crypto Stealers in the Chinese Apple App Store

Researchers from Kaspersky Lab examined the tactics of malware distribution through the official App Store for Apple devices.

In March of this year, over two dozen applications mimicking popular cryptocurrency programs were discovered in the Chinese App Store. To bypass checks when publishing the app, some rudimentary functionality is embedded in them, usually having nothing to do with cryptocurrencies. However, the main task of such a program after installation is to open a browser and redirect the user to a page from which a real malicious program will be installed by adding an Enterprise profile to the device.

Criminals took advantage of the peculiarities of the App Store in China, due to which some official applications for working with cryptocurrencies are unavailable there. A total of 26 programs were found masquerading as popular crypto wallets, including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. In some cases, the app name was random, but the description claimed that due to restrictions in China, the official software for working with some service was "hidden" within it.

The main functionality of all the applications is to steal data for access to hot cryptocurrency wallets. Users are somehow forced to enter data into the malicious application, which is then sent to a command server. In some cases, the attackers are also targeting cold wallets — the study details a modified application for working with Ledger wallets. In addition to apps in the App Store, researchers also discovered web pages disguised as official cryptocurrency service websites, from which the same malicious programs were distributed. Although the malware was clearly aimed at users from China, it had no regional restrictions, and in some cases adapted to the language set on the phone, hinting at the possibility of expanding the attack to other regions.

What else happened

Another publication by experts from the "Kaspersky Lab" dissects the post-exploitation framework AdaptixC2. This toolkit is regularly used in real attacks, including APT attacks and data encryption attacks. A regular report on the evolution of threats to industrial automation systems for the fourth quarter of 2025 has also been published.

The publication BleepingComputer writes about yet another method of exploiting legitimate services to send phishing messages. The new scheme works as follows: a new Apple ID account is created, a change of delivery address is initiated, and a corresponding notification is sent via email from Apple’s servers. This notification is then forwarded to potential victims, and such an email looks as if it came from Apple’s servers. It also passes all legitimacy checks and is likely to bypass spam filters. In this case, the attacker has limited opportunities to insert the phishing message. As seen in the screenshot above, it is injected in the form of the user's Apple ID name. The text inserted appears to the potential victim as if someone is attempting to purchase an iPhone using their account. To "resolve the issue," they are suggested to call a "support" phone number.

A vulnerability has been discovered in the wolfSSL library, a lightweight implementation of SSL/TLS protocols for embedded devices. A bug in the code could theoretically be exploited to force a vulnerable device or program to accept a forged certificate. The vulnerability was discovered by a researcher from Anthropic using an AI assistant.

Comments

    Also read