Over 20 Malicious Apps on Google Play Targeting Users to Steal Login Information

A sophisticated phishing campaign targeting cryptocurrency users through more than 20 malicious Android applications distributed via the Google Play Store.

These fraudulent apps impersonate popular crypto wallets including SushiSwap, PancakeSwap, Hyperliquid, and Raydium to steal users’ sensitive mnemonic phrases, which serve as master keys to access digital wallets and drain cryptocurrency funds.

The malicious applications employ a deceptive strategy by mimicking the visual appearance and branding of legitimate cryptocurrency wallets to build user trust.

Cyble Research and Intelligence Labs (CRIL) discovered that these apps use identical icons and names of established crypto platforms, making them nearly indistinguishable from authentic applications to unsuspecting users.

The threat actors behind this campaign have demonstrated remarkable consistency in their approach, utilizing compromised or repurposed developer accounts that previously hosted legitimate applications including gaming, video downloader, and live streaming software.

Some of these accounts had accumulated over 100,000 downloads before being compromised, lending credibility to the malicious apps they now distribute.

This strategic use of established accounts helps the fraudulent applications bypass initial security screenings and appear more trustworthy to potential victims.

Technical Infrastructure

The malicious apps employ two primary technical methods to execute their phishing schemes.

The first approach leverages the Median framework, which enables rapid conversion of websites into Android applications.

These apps embed Command and Control URLs within their privacy policies and load phishing websites directly into WebView components within the applications.

Investigation into the campaign’s infrastructure revealed that a single IP address hosts over 50 phishing domains, indicating a centralized and well-coordinated operation.

The phishing websites are specifically designed to prompt users for their 12-word mnemonic phrases under the pretense of wallet access, creating convincing replicas of legitimate wallet interfaces.

The second technical approach involves directly loading phishing URLs into WebView without using development frameworks, demonstrating the attackers’ adaptability in their methods.

Mitigations

Upon discovery of the malicious applications, CRIL promptly reported them to Google, resulting in the removal of most apps from the Play Store.

According to Report, Security experts emphasize that as the cryptocurrency ecosystem continues expanding, users must maintain heightened vigilance when downloading wallet applications.

However, security researchers warn that some applications remained active on the platform at the time of their report, highlighting the ongoing nature of this threat campaign.

The campaign represents a particularly dangerous form of cryptocurrency fraud because successful attacks can result in irreversible financial losses for victims.

Unlike traditional banking systems, cryptocurrency transactions cannot be easily reversed or safeguarded through conventional financial protection mechanisms.

The threat actors’ use of seemingly legitimate applications hosted under previously benign developer accounts, combined with their large-scale phishing infrastructure, makes detection significantly more challenging for traditional security defenses.

Security experts emphasize that as the cryptocurrency ecosystem continues expanding, users must maintain heightened vigilance when downloading wallet applications.

The incident underscores the critical need for enhanced collaboration between app stores, security vendors, and developers to implement more robust threat detection and response mechanisms to protect the growing cryptocurrency user base from sophisticated phishing operations.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.