Fake Crypto Apps in Official App Stores: How to Spot Them

Fake crypto apps now appear in the Apple App Store and Google Play at a rate that makes official listings an unreliable trust signal on their own. In April 2026, a fraudulent version of Ledger Live drained $9.5 million from more than 50 holders across Bitcoin, Ethereum, Solana, Tron, and XRP in a single week before Apple removed the listing (CoinDesk, 2026). Understanding how these apps pass review, what they do once installed, and how to verify any crypto app before using it is now a routine part of managing a secure setup.

How fake apps get past app store review

App store review is designed to catch known malware, but fraudulent crypto apps reach users through methods that routinely bypass this process. The April 2026 fake Ledger Live app was submitted under the developer name "Leva Heal Limited," with no connection to Ledger's actual developer identity, "Ledger SAS." It passed Apple's review and stayed live for approximately two weeks (CoinDesk, 2026). In early 2025, security researchers found a malicious software development kit called SparkCat embedded inside multiple legitimate-looking apps on both the App Store and Google Play. SparkCat was not a standalone fake wallet but a hidden component inside otherwise functional software. It used optical character recognition to scan device screenshots for seed phrases without triggering obvious permission alerts, and infected Android apps had been downloaded more than 242,000 times before detection (Help Net Security, 2025). A separate review in mid-2025 found more than 20 fake wallet apps on Google Play impersonating well-known wallet and DeFi interfaces. Placement on a major platform confirms only that an app passed a review process, not that it is safe to use.

What fake apps do once installed

The most common attack is a seed phrase prompt. When a holder opens a fake wallet app and sees a "restore wallet" or "import existing wallet" screen, the flow looks identical to a legitimate setup. Genuine hardware wallet companion apps communicate with the physical device via USB or Bluetooth; they do not request a recovery phrase to open or pair. This distinction is explained in more detail in the hardware wallet blind signing guide. When users entered their phrase into the April 2026 fake Ledger app, attackers received it in real time and drained the linked wallets within hours. The three largest individual victims each lost between $1.95 million and $3.23 million (The Block, 2026). The stolen assets were traced to a centralized laundering service via KuCoin deposit addresses. A second attack method is clipboard hijacking: the app monitors clipboard content and silently replaces any copied wallet address with an attacker-controlled one, redirecting the next transaction without any visible sign. Keeping your recovery phrase off any digital input, including apps that appear legitimate, is the foundation; the seed phrase storage guide covers the full set of practices.

What to check in your own setup

The most consistent protection is bypassing app store search entirely as a discovery method. Go to the wallet or exchange maker's official website and follow their direct link to the store listing. On the listing page, check the developer name against what the official site specifies. A single character difference is enough to identify a clone: "Leva Heal Limited" versus "Ledger SAS." For hardware wallets specifically, the companion app should detect and pair with your physical device at launch. If any app requests a recovery phrase on startup, close it immediately and report the listing. Also review the permissions crypto apps on your phone have been granted. Legitimate wallet software does not need access to your photo library or screenshots; the SparkCat SDK exploited exactly that access in 2025. For a broader view of your setup, including open approvals and concentration gaps, the setup check on Asset Alert covers these without requiring a wallet connection.