A team of cybersecurity researchers have found 20 apps on the Google Play Store which were targeting cryptocurrency wallet users. According to a report by a cybersecurity research firm, these crypto-phishing applications impersonated legitimate crypto wallets such as Hyperliquid, PancakeSwap, and Raydium. Threat actors leveraged phishing tactics and compromised or repurposed developer accounts, forcing users to enter their 12-word mnemonic phrase on a web-based false wallet interface and gaining access to their real wallets, the report stated.
Crypto-Phishing Apps on Google Play Store
Cybersecurity researchers at Cyble Research and Intelligence Labs (CRIL) have identified over 20 cryptocurrency phishing apps on the Google Play Store. The apps reportedly used similar package names and descriptions as legitimate crypto wallet apps but were published under different developer accounts which are often compromised. Alternatively, the report mentions some of these apps were also listed under repurposed developer accounts which were originally used for distribution of apps related to gaming, live streaming, and video download.
The malicious apps discovered on the Play Store also embedded Command and Control (C&C) URLs within their privacy policies to appear as legitimate. Threat actors were said to use the Median framework to convert web pages into Android apps.
Once an app is installed and opened by the victim, a URL, which resembles the privacy policy, redirects them to a phishing website. It is reported to have been designed to specifically steal 12-word mnemonic phrases via a WebView in the app. This results in the threat actor gaining access to the victim’s crypto wallet and potentially draining all of the funds.
The report states these apps were linked to a network of over 50 phishing domains. Cybersecurity researchers found the following apps with their respective package names and privacy policy URLs on the Google Play Store:
| Name | Package Name | Privacy Policy |
|---|---|---|
| Pancake Swap | co.median.android.pkmxaj | hxxps://pancakedentfloyd.cz/privatepolicy.html |
| Suiet Wallet | co.median.android.ljqjry | hxxps://suietsiz.cz/privatepolicy.html |
| Hyperliquid | co.median.android.jroylx | hxxps://hyperliqw.sbs/privatepolicy.html |
| Raydium | co.median.android.yakmje | hxxps://raydifloyd.cz/privatepolicy.html |
| Hyperliquid | co.median.android.aaxbjp | hxxps://hyperliqw.sbs/privatepolicy.html |
| Bulix Crypto | co.median.android.ozjwka | hxxps://bullxni.sbs/privatepolicy.html |
| OpenOcean Exchange | co.median.android.ozjljk | hxxps://openoceansi.sbs/privatepolicy.html |
| Suiet Wallet | co.median.android.mpeaaw | hxxps://suietsiz.cz/privatepolicy.html |
| Meteora Exchange | co.median.android.kbxqaj | hxxps://meteoraflordoverdose.sbs/privatepolicy.html |
| Raydium | co.median.android.epwzyq | hxxps://raydifloyd.cz/privatepolicy.html |
| SushiSwap | co.median.android.pkezyz | hxxps://sushijames.sbs/privatepolicy.html |
| Raydium | co.median.android.pkzyjr | hxxps://raydifloyd.cz/privatepolicy.html |
| SushiSwap | co.median.android.briljb | hxxps://sushijames.sbs/privatepolicy.html |
| Hyperliquid | co.median.android.djerqq | hxxps://hyperliqw.sbs/privatepolicy.html |
| Suiet Wallet | co.median.android.epeall | hxxps://suietwz.sbs/privatepolicy.html |
| Bulix Crypto | co.median.android.braqdy | hxxps://bullxni.sbs/privatepolicy.html |
| Harvest Finance blog | co.median.android.ljmeob | hxxps://harvestfin.sbs/privatepolicy.html |
| Pancake Swap | co.median.android.djrdyk | hxxps://pancakedentfloyd.cz/privatepolicy.html |
| Hyperliquid | co.median.android.epbdbn | hxxps://hyperliqw.sbs/privatepolicy.html |
| Suiet Wallet | co.median.android.noxmdz | hxxps://suietwz.sbs/privatepolicy.html |
“These apps have been progressively discovered over recent weeks, reflecting an ongoing and active campaign”, researchers said. They promptly reported them to Google, leading to their removal from the Play Store. Users are advised to take immediate action and uninstall them from their devices, in addition to securing their crypto wallet.
