Cyble Research and Intelligence Labs (CRIL) has recently uncovered a malicious crypto phishing campaign where more than 20 malicious applications on the Google Play Store were designed to target crypto wallet users with phishing schemes. These deceptive apps impersonate well-known wallet platforms and lure users into revealing their sensitive mnemonic phrases, effectively handing over control of their digital assets. 

According to CRIL’s report, the phishing apps impersonated popular crypto wallet interfaces such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium.

These applications often featured polished user interfaces that closely resembled the real platforms. Once users launched the fake apps, they were prompted to enter their 12-word mnemonic phrase, a critical piece of information used to access genuine crypto wallets. 

These malicious apps were not distributed via obscure channels. Instead, they were made available directly through the Play Store, lending them an appearance of legitimacy.

CRIL found that the threat actors exploited compromised or repurposed developer accounts, some of which had previously published legitimate apps with over 100,000 downloads. 

One common thread among these phishing apps was the embedding of malicious URLs within their privacy policies. Many used similar package names and descriptions, indicating a coordinated effort by a single or related group of attackers. These tactics helped disguise the true intent of the apps and evade automated detection systems.

The apps were created using frameworks like Median, which allows for the quick transformation of websites into Android applications. In many cases, phishing websites were loaded into the apps via WebView components. For instance, one of the URLs used was hxxps://pancakefentfloyd.cz/api.php, which mimicked PancakeSwap and prompted users to input their mnemonic phrases. 

Further technical analysis revealed that the IP address hosting one of the phishing domains (94.156.177.209) was linked to over 50 other phishing domains, showing just how vast and organized this campaign is. 

CRIL’s detailed breakdown included dozens of malicious applications, including: 

In addition, two apps used different naming conventions but shared the same malicious intent: Raydium (cryptoknowledge.rays) and PancakeSwap (com.cryptoknowledge.quizzz), both linking to the same phishing privacy policy hosted via TermsFeed. 

This is not just a scattered attempt by low-level scammers. The infrastructure behind these apps, with more than 50 associated phishing domains, indicates a well-orchestrated phishing operation targeting the growing base of cryptocurrency users. By impersonating legitimate apps on a trusted platform like the Play Store, these attackers were able to breach users’ trust and evade conventional security measures. 

If a user falls for this type of crypto phishing attack and submits their mnemonic phrase, attackers can immediately gain access to their crypto wallet and transfer funds, often irreversibly. Unlike traditional bank transactions, crypto transfers typically offer no recourse for recovery once completed. 

To stay protected against these types of crypto phishing attacks, users are strongly advised to follow essential security practices: download apps only from verified developers, avoid any that request sensitive details such as mnemonic phrases, and carefully review app ratings and authenticity, especially for recently released apps. Enabling Google Play Protect, using trusted antivirus software, activating multi-factor authentication, and utilizing biometric security features where possible can provide additional layers of defense. Users should also avoid clicking on suspicious links received via SMS or email. 

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.