GoKawiilA set of 26 malicious apps on Apple App Store impersonate popular wallets, such as Metamask, Coinbase, Trust Wallet, and OneKey, to steal recovery or seed phrases and drain them of cryptocurrency assets.
The threat actor used multiple methods to imitate official products, including typosquatting and fake branding, to lure users in China into downloading them.
Because such apps are restricted in the country, the attacker published them as games or calculator apps, likely in the hope of being perceived by the users as a trick to bypass the bans in the country.
Kaspersky researchers say that all 26 fake apps are part of the same campaign, which they named FakeWallet, and associate them with the SparkKitty operation that has been running since last year.
Once opened, the apps redirect users to phishing pages designed to appear as legitimate portals for the crypto services.
Fake website impersonating Ledger
Source: Kaspersky
These sites convince victims to download trojanized wallet apps using iOS provisioning profiles, a legitimate enterprise feature that is abused to sideload malware onto their devices. The same technique was also observed in SparkKitty.
Installing a provisioning profile
Source: Kaspersky
... continue reading