Cyble Research and Intelligence Labs (CRIL) has recently uncovered a malicious crypto phishing campaign where more than 20 malicious applications on the Google Play Store were designed to target crypto wallet users with phishing schemes. These deceptive apps impersonate well-known wallet platforms and lure users into revealing their sensitive mnemonic phrases, effectively handing over control of their digital assets.
Malicious Apps Mimic Trusted Crypto Wallets
According to CRIL’s report, the phishing apps impersonated popular crypto wallet interfaces such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium.
These applications often featured polished user interfaces that closely resembled the real platforms. Once users launched the fake apps, they were prompted to enter their 12-word mnemonic phrase, a critical piece of information used to access genuine crypto wallets.
These malicious apps were not distributed via obscure channels. Instead, they were made available directly through the Play Store, lending them an appearance of legitimacy.
CRIL found that the threat actors exploited compromised or repurposed developer accounts, some of which had previously published legitimate apps with over 100,000 downloads.
Phishing Techniques and Distribution Tactics
One common thread among these phishing apps was the embedding of malicious URLs within their privacy policies. Many used similar package names and descriptions, indicating a coordinated effort by a single or related group of attackers. These tactics helped disguise the true intent of the apps and evade automated detection systems.
The apps were created using frameworks like Median, which allows for the quick transformation of websites into Android applications. In many cases, phishing websites were loaded into the apps via WebView components. For instance, one of the URLs used was hxxps://pancakefentfloyd.cz/api.php, which mimicked PancakeSwap and prompted users to input their mnemonic phrases.
Further technical analysis revealed that the IP address hosting one of the phishing domains (94.156.177.209) was linked to over 50 other phishing domains, showing just how vast and organized this campaign is.
List of Identified Malicious Apps
CRIL’s detailed breakdown included dozens of malicious applications, including:
- Pancake Swap (co.median.android.pkmxaj)
- Suiet Wallet (co.median.android.ljqjry)
- Hyperliquid (co.median.android.jroylx)
- Raydium (co.median.android.yakmje)
- BullX Crypto (co.median.android.ozjwka)
- OpenOcean Exchange (co.median.android.ozjjkx)
- Meteora Exchange (co.median.android.kbxqaj)
- SushiSwap (co.median.android.pkezyz)
In addition, two apps used different naming conventions but shared the same malicious intent: Raydium (cryptoknowledge.rays) and PancakeSwap (com.cryptoknowledge.quizzz), both linking to the same phishing privacy policy hosted via TermsFeed.
A Coordinated Crypto Phishing Operation
This is not just a scattered attempt by low-level scammers. The infrastructure behind these apps, with more than 50 associated phishing domains, indicates a well-orchestrated phishing operation targeting the growing base of cryptocurrency users. By impersonating legitimate apps on a trusted platform like the Play Store, these attackers were able to breach users’ trust and evade conventional security measures.
If a user falls for this type of crypto phishing attack and submits their mnemonic phrase, attackers can immediately gain access to their crypto wallet and transfer funds, often irreversibly. Unlike traditional bank transactions, crypto transfers typically offer no recourse for recovery once completed.
Conclusion
To stay protected against these types of crypto phishing attacks, users are strongly advised to follow essential security practices: download apps only from verified developers, avoid any that request sensitive details such as mnemonic phrases, and carefully review app ratings and authenticity, especially for recently released apps. Enabling Google Play Protect, using trusted antivirus software, activating multi-factor authentication, and utilizing biometric security features where possible can provide additional layers of defense. Users should also avoid clicking on suspicious links received via SMS or email.
