FakeWallet crypto stealer spreading through iOS apps in the ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/
• Blog Title: FakeWallet crypto stealer spreading through iOS apps in the App Store
• Suggested Section: Mobile Pentesting -> iOS Pentesting (or a new subpage under iOS Reversing/Injection): Mach-O load-command dylib injection, dyld initializers (+load/__mod_init_functions), Objective-C method hooking for UI scraping; plus a note under Mobile/Phishing about enterprise provisioning-profile sideload chains

🎯 Content Summary

Title / context
Kaspersky reports an iOS crypto-stealing campaign dubbed FakeWallet, discovered in March 2026, consisting of 26 Apple App Store apps impersonating major cryptocurrency wallets. After installation, these “phishing apps” redirect victims to browser pages that mimic the App Store and then distribute trojanized wallet apps via iOS provisioning profiles. Malware metadata suggests activity since at least Fall 2025. Detections: HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.Iphon...

🔧 Technical Details

Provisioning-profile sideload chain via App Store “stub” phishing apps
Attackers can publish benign-looking “stub” apps (typosquatted names/icons or unrelated utilities with wallet banners) that, on launch, open a browser URL. The URL leads to App Store–lookalike pages that instruct installation of a provisioning/enterprise profile and then a trojanized IPA outside App Store controls. This abuses Apple’s legitimate enterprise distribution mechanism to scale delivery when official apps are region-restricted.

Mach-O load-command injection to force-load a malicious dylib + dyld initialization for method hijacking
A legitimate iOS app can be trojanized by modifying its Mach-O main executable to add load commands that load a malicious .dylib. When dyld loads the dylib, init routines (Objective-C +load or standard C/C++ initializers) can (1) read hardcoded/on-disk configuration and (2) swap/hijack Objective-C methods. Hooking UI lifecycle methods (e.g., -viewDidLoad on seed-phrase screens) ...

🤖 Agent Actions

I’m mapping the repo first and then reading the most relevant mobile iOS pages to avoid duplicating existing HackTricks coverage. After that I’ll pick one target file and patch only the missing technique details from the blog.
I have the candidate areas. Next I’m reading the iOS pentesting pages that already mention provisioning profiles, Mach-O structure, hooking, WebViews, and phishing so I can isolate what is actually new from this campaign.
The existing pages already cover generic provisioning profiles, Frida hooking, and WebViews, but not this specific trojanization pattern. I’m now checking for a more precise iOS reversing target before I edit anything, especially around Mach-O load commands and code-injection workflows.
I’ve narrowed it to a single-file update. The best fit is ios-pentesting-without-jailbreak.md, because it already covers sideloaded and re-signed IPAs; I’m checking its structure now so I can add the FakeWallet tradecraft as trojanized-IPA inspection guidance instead of scattering it across multiple pages.
I’ve chosen the target file and the edit shape. I’m patching in a focused section on how to inspect trojanized sideloaded IPAs: provisioning-profile delivery, Mach-O load-command dylib injection, dyld initializers, custom __hook trampolines, and in-app WebView/React Native phishing markers.
The patch is in place and the markdown renders cleanly in the file excerpt. I’m doing one final verification pass on the diff and repo status, then I’ll close with the exact file changed and what was added.
Updated ios-pentesting-without-jailbreak.md.

I added a focused section on inspecting trojanized sideloaded IPAs, which captures the genuinely new tradecraft from the FakeWallet report without turning it into CVE/malware cataloging: provisioning-profile/App-Store-stub delivery, Mach-O LC_LOAD_* dylib injection, dyld initializer abuse via +load and __mod_init_func, custom __hook trampoline sections, Objective-C UI scraping, local WebView/BIP-39 phishing, and React Native persistence markers. I also added concise triage commands and appended the Securelist, SparkKitty, and ESET references at the end of the file.

Verification: only this file was modified, and the new content is at lines 98-129 with the new references at lines 247-249.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> iOS Pentesting (or a new subpage under iOS Reversing/Injection): Mach-O load-command dylib injection, dyld initializers (+load/__mod_init_functions), Objective-C method hooking for UI scraping; plus a note under Mobile/Phishing about enterprise provisioning-profile sideload chains".

Repository Maintenance:

• MD Files Formatting: 972 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0