Full Report
Cyble Research and Intelligence Labs (CRIL) has recently uncovered a malicious crypto phishing campaign where more than 20 malicious applications on the Google Play Store were designed to target crypto wallet users with phishing schemes. These deceptive apps impersonate well-known wallet platforms and lure users into revealing their sensitive mnemonic phrases, effectively handing over control of their digital assets. Malicious Apps Mimic Trusted Crypto Wallets According to CRIL’s report, the phishing apps impersonated popular crypto wallet interfaces such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium. [caption id="" align="alignnone" width="1024"] Malicious application impersonating SushiSwap wallet (Source: Cyble)[/caption] These applications often featured polished user interfaces that closely resembled the real platforms. Once users launched the fake apps, they were prompted to enter their 12-word mnemonic phrase, a critical piece of information used to access genuine crypto wallets. These malicious apps were not distributed via obscure channels. Instead, they were made available directly through the Play Store, lending them an appearance of legitimacy. [caption id="" align="alignnone" width="1024"] Developer account previously hosting gaming apps and now distributing a malicious phishing app (Source: Cyble)[/caption] CRIL found that the threat actors exploited compromised or repurposed developer accounts, some of which had previously published legitimate apps with over 100,000 downloads. Phishing Techniques and Distribution Tactics One common thread among these phishing apps was the embedding of malicious URLs within their privacy policies. Many used similar package names and descriptions, indicating a coordinated effort by a single or related group of attackers. These tactics helped disguise the true intent of the apps and evade automated detection systems. The apps were created using frameworks like Median, which allows for the quick transformation of websites into Android applications. In many cases, phishing websites were loaded into the apps via WebView components. For instance, one of the URLs used was hxxps://pancakefentfloyd.cz/api.php, which mimicked PancakeSwap and prompted users to input their mnemonic phrases. [caption id="" align="alignnone" width="1023"] IP hosting multiple phishing domains (Source: Cyble)[/caption] Further technical analysis revealed that the IP address hosting one of the phishing domains (94.156.177.209) was linked to over 50 other phishing domains, showing just how vast and organized this campaign is. List of Identified Malicious Apps CRIL's detailed breakdown included dozens of malicious applications, including: Pancake Swap (co.median.android.pkmxaj) Suiet Wallet (co.median.android.ljqjry) Hyperliquid (co.median.android.jroylx) Raydium (co.median.android.yakmje) BullX Crypto (co.median.android.ozjwka) OpenOcean Exchange (co.median.android.ozjjkx) Meteora Exchange (co.median.android.kbxqaj) SushiSwap (co.median.android.pkezyz) In addition, two apps used different naming conventions but shared the same malicious intent: Raydium (cryptoknowledge.rays) and PancakeSwap (com.cryptoknowledge.quizzz), both linking to the same phishing privacy policy hosted via TermsFeed. A Coordinated Crypto Phishing Operation This is not just a scattered attempt by low-level scammers. The infrastructure behind these apps, with more than 50 associated phishing domains, indicates a well-orchestrated phishing operation targeting the growing base of cryptocurrency users. By impersonating legitimate apps on a trusted platform like the Play Store, these attackers were able to breach users' trust and evade conventional security measures. If a user falls for this type of crypto phishing attack and submits their mnemonic phrase, attackers can immediately gain access to their crypto wallet and transfer funds, often irreversibly. Unlike traditional bank transactions, crypto transfers typically offer no recourse for recovery once completed. Conclusion To stay protected against these types of crypto phishing attacks, users are strongly advised to follow essential security practices: download apps only from verified developers, avoid any that request sensitive details such as mnemonic phrases, and carefully review app ratings and authenticity, especially for recently released apps. Enabling Google Play Protect, using trusted antivirus software, activating multi-factor authentication, and utilizing biometric security features where possible can provide additional layers of defense. Users should also avoid clicking on suspicious links received via SMS or email.
Analysis Summary
# Incident Report: Widespread Crypto Phishing Campaign via Google Play Store
## Executive Summary
A well-orchestrated phishing campaign involved the distribution of over 20 malicious cryptocurrency wallet applications disguised as legitimate tools and listed on the Google Play Store. The attackers utilized social engineering tactics, impersonating trusted platforms to trick users into surrendering their sensitive mnemonic phrases, leading to irreversible loss of cryptocurrency funds. The primary response involved security advisories and user education on best practices to avoid downloading fraudulent applications.
## Incident Details
- **Discovery Date:** Prior to June 9, 2025 (Implied, as apps were found and reported)
- **Incident Date:** Ongoing campaign leading up to the report date.
- **Affected Organization:** Cryptocurrency users who downloaded and installed the malicious apps.
- **Sector:** Cryptocurrency/Finance Technology
- **Geography:** Global (Targeting Google Play Store users)
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified, campaign was active.
- **Vector:** Distribution of malicious applications via the official Google Play Store.
- **Details:** Attackers published over 20 malicious apps impersonating legitimate wallet services, using similar naming conventions (e.g., Raydium, PancakeSwap variants) to gain user trust.
### Lateral Movement
- Not applicable to traditional endpoint compromise; the attack focused on direct collection of sensitive information from the end-user via the fraudulent application interface.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Cryptocurrency wallet mnemonic phrases (seed phrases) submitted by victims. This grants attackers full, irreversible control over victim crypto assets.
### Detection & Response
- **How it was discovered:** Reported by security researchers (implied by CRIL warning).
- **Response actions taken:** Public advisories issued detailing the threat, emphasizing security practices, and warning users against submitting mnemonic phrases.
## Attack Methodology
- **Initial Access:** Uploading malicious applications to the Google Play Store, leveraging platform trust.
- **Persistence:** Modifying app functionality to mimic real wallets while incorporating phishing mechanisms.
- **Privilege Escalation:** Not applicable (social engineering targeting user input, not system escalation).
- **Defense Evasion:** Exploiting the trust inherent in the official Play Store ecosystem to bypass common external security checks.
- **Credential Access:** Direct acquisition of cryptocurrency wallet mnemonic phrases entered by the user into the fake app.
- **Discovery:** Not explicitly stated, likely involved monitoring the crypto landscape or external threat intelligence.
- **Lateral Movement:** Not applicable.
- **Collection:** Harvesting mnemonic phrases entered by victims.
- **Exfiltration:** Data (mnemonic phrases) transmitted to attacker-controlled infrastructure, indicated by over 50 associated phishing domains.
- **Impact:** Irreversible theft of cryptocurrency funds.
## Impact Assessment
- **Financial:** Significant, potentially millions of dollars lost across victims due to irreversible crypto theft.
- **Data Breach:** Sensitive recovery information (mnemonic phrases) exposed.
- **Operational:** Disruption primarily centered on individual user security and trust in mobile application stores.
- **Reputational:** Damage to trust in certain legitimate wallet providers whose names were impersonated.
## Indicators of Compromise
- **Network indicators (Defanged):** Over 50 associated phishing domains impersonating wallet services (specific domains not listed).
- **File indicators:** Malicious applications discovered on the Google Play Store (e.g., apps named similarly to Raydium/PancakeSwap).
- **Behavioral indicators:** Apps requesting sensitive wallet recovery data, specifically mnemonic phrases, via an input field.
## Response Actions
- **Containment measures:** User awareness campaigns emphasizing the danger. (Specific Play Store removal actions are implied but not detailed).
- **Eradication steps:** Advising users to revoke access or migrate funds from any compromised wallets.
- **Recovery actions:** None explicitly stated for victims, as crypto theft is typically irreversible; focus was on future prevention.
## Lessons Learned
- **Key takeaways:** Malicious actors are actively leveraging highly trusted platforms (Google Play Store) to deploy sophisticated phishing operations targeting high-value assets like cryptocurrency.
- **What could have been done better:** Enhanced scrutiny of cryptocurrency-related apps, especially new/unverified developers asking for sensitive wallet recovery information.
## Recommendations
- Only download cryptocurrency applications from verified developers with high ratings and long operational history.
- Never input a cryptocurrency wallet's mnemonic phrase (seed phrase) into any application form or website unless absolutely critical and confirmed via multiple trusted channels.
- Enable and leverage Google Play Protect, use reputable antivirus software, and activate Multi-Factor Authentication (MFA) on associated accounts where possible.
- Users should avoid clicking suspicious links related to crypto, even if they appear to originate from seemingly legitimate sources.