A recent investigation by threat intelligence firm Cyble has spotted a campaign targeting cryptocurrency users through the Google Play Store with more than 20 malicious Android applications.
These apps, disguised as trusted crypto wallets like SushiSwap, PancakeSwap, Hyperliquid, and Raydium, have been found harvesting users’ 12-word mnemonic phrases, the keys that unlock their crypto funds.
These apps mimic legitimate wallet interfaces, luring users into entering sensitive recovery phrases. Once entered, the attackers can access the real wallets and empty them. While Google has removed many of these fake apps following Cyble’s report, a handful remain live on the store and have been flagged for removal.
How the Scam Works
According to Cyble’s report shared with Hackread.com, the fraudulent apps carry names and icons of well-known crypto platforms and appear under developer accounts that previously hosted genuine apps, including games, video downloaders, and streaming tools. These accounts, some with more than 100,000 downloads, appear to have been hijacked and repurposed to distribute the malicious apps.
In several cases, the apps use a development tool known as the “Median framework” to quickly turn phishing websites into Android apps. The apps load these phishing pages directly inside a WebView, an embedded browser window, that asks users for their mnemonic phrase under the guise of wallet access.
The campaign isn’t only widespread in scale but also coordinated in its infrastructure. One phishing domain found by Cyble was linked to over 50 similar domains, all part of the same broader effort to compromise wallet security.
Cyble’s researchers also noticed a pattern in how these fake apps operate. Many of them include links in their privacy policies that actually lead to phishing websites designed to steal users’ wallet recovery phrases. The apps also tend to follow similar naming styles, which points to the use of automated tools to quickly create and publish them.
On top of that, several apps are connected to the same servers or websites, showing they’re part of a larger, organized effort. Some of the fake domains linked to these apps include:
bullxnisbshyperliqwsbsraydifloydczsushijamessbspancakefentfloydcz
These domains impersonate various wallet providers and serve pages meant to trick users into handing over their seed phrases. Meanwhile, the partial list of malicious apps, courtesy of Cyble, is available below:
- Raydium
- SushiSwap
- Suiet Wallet
- Hyperliquid
- BullX Crypto
- Pancake Swap
- Meteora Exchange
- OpenOcean Exchange
- Harvest Finance Blog
Despite efforts to remove the apps, the campaign is ongoing. As of this report, a few remain active on the Play Store. The quick replication of these apps using off-the-shelf frameworks suggests the attackers could easily spin up more fake apps if not quickly blocked.
This poses a serious risk. Unlike traditional banking, there is no safety net for crypto theft. Once a wallet is drained, the funds are nearly impossible to recover.
Cyble has shared detailed indicators of compromise (IOCs) including app names, package identifiers, and phishing domains, which security professionals can use to block or investigate further.
This campaign goes on to show how attackers continue to target the already vulnerable crypto space through official channels like app stores. While app platforms are working to catch malicious uploads, users remain on the receiving end of these cybersecurity threats. Therefore, users are urged to watch out and follow these steps to protect themselves:
Watch for red flags like low review counts, recently republished apps, or links to strange domains in privacy policies.
- Avoid downloading and installing unnecessary apps.
- Enable Google Play Protect to help identify potentially harmful apps.
- Use biometric security and two-factor authentication where available.
- Always watch out while downloading apps from third-party as well as official stores.
- Never enter your 12-word phrase into any app or website unless you’re certain it’s legitimate.
