ESET has also found 13 fake crypto wallet apps available on Google Play that were removed in January.
Crypto wallet apps disguised themselves as genuine targeted people around the world
Photo Credit: Unsplash/ Vadim Artyukhin
Posed as crypto wallets, dozens of malicious apps have appeared online that aim to steal users' funds around the world. The apps were available for both Android and iOS users as a part of a complex scheme, according to a research-based report. The malicious apps in question were found to be impersonating crypto wallets such as Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, and OneKey. The trojanised crypto wallets were first discovered in May 2021 and initially targeted Chinese users. However, as cryptocurrencies are becoming popular, the malicious techniques used by attackers could be expanded to users around the world.
Internet security firm ESET has reported the discovery of malicious crypto wallets that appear to be available for both Android and iOS users.
The research conducted by ESET found a sophisticated scheme run by some anonymous attackers and identified over 40 websites impersonating popular crypto wallets. These websites target mobile users and force visitors by different techniques to let them download malicious wallet apps.
Although the initial evidence suggested that the target could be Chinese users, it was later found that the scheme could be aimed at anyone using English language on their phones.
“They are not targeting only Chinese users, since most of the distributed fake websites and apps are in English language. Because of that, I believe it might affect anyone in the world (if they speak English),” Lukas Stefanko, Malware Analyst at ESET, told Gadgets 360.
The first trace of the distribution vector of the trojanised wallets was spotted in May 2021. The attackers used different Telegram groups to enrol people for distributing the malicious apps, according to the report.
Based on the information obtained, the researchers found that attackers were giving people a 50 percent commission on the stolen contents of the wallet. This was aimed to bring more people on board for circulating the malware.
The researchers also noticed that the Telegram groups were shared and promoted in some Facebook groups, with a goal of searching for more distribution partners for the malware. It could eventually expand the scope of malicious attacks by getting middlemen for targeting individuals.
According to the researchers, the malware apps were pretending to work as legitimate crypto wallets, such as imToken, Bitpie, MetaMask, TokenPocket, and OneKey.
The apps behave differently depending on the operating system it was installed on, the researchers said.
On Android, the apps targeted new crypto users who do not have a legitimate wallet app installed on their devices. The wallet apps were using the same package name to disguise themselves as their original counterparts. However, they were signed using a different certificate. This restricts these apps to not overwrite the official wallet on the device.
However, on iOS, the malicious crypto wallet apps could be installed simultaneously alongside their legitimate version. The malicious apps would only be installed through a third-party source, though the official version could be from the App Store.
Once installed, the researchers found that the apps could steal seed phrases that are generated by a crypto wallet to give access to the crypto associated with that wallet. These phrases were spotted sharing with the attackers' server or with a secret Telegram chat group.
ESET researchers also discovered 13 fake wallet apps available on Google Play store that were removed in January on the basis of their request. The apps impersonated the legitimate Jaxx Liberty Wallet app and were installed more than 1,100 times.
The researchers advise users to download and install apps only from official sources, such as Google Play in case of Android and Apple's App Store for the iPhone consumers. Users are also recommended to quickly uninstall apps if they find them of malicious nature. In the case of iOS, users should also remove the configuration profile of malicious apps by going to Settings > General > VPN & Device Management once the apps are installed.
Users who are planning to enter the crypto world and looking to set up a new wallet are recommended to use only a trusted device and app before transferring any of their hard-earned money.
“Considering that the attackers know the history of all the victim's transactions, the attackers might not steal the funds immediately and might rather wait for a better opportunity after more coins are deposited,” Stefanko writes in the report.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.