Over 20 malicious apps were found on Google Play, targeting cryptocurrency users by stealing wallet credentials. These apps impersonated legitimate services like SushiSwap and PancakeSwap, using compromised developer accounts. They employed phishing tactics, prompting users to enter sensitive information. Despite Google removing most apps, experts advise caution, urging users to enable multi-factor authentication and perform security scans.
In a recently uncovered cybersecurity breach, more than 20 malicious applications were discovered on the Google Play Store, specifically designed to steal cryptocurrency wallet credentials from unsuspecting users. This attack, identified by Cyble Research and Intelligence Labs (CRIL), targets major cryptocurrency platforms such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium, posing significant financial risks for cryptocurrency holders.
Exploiting compromised developer accounts
The threat actors behind this campaign have employed a highly sophisticated method by exploiting compromised developer accounts. These accounts, which once hosted legitimate applications such as gaming apps, video downloaders, and live streaming services, were hijacked and repurposed for malicious purposes. Some of these compromised developer accounts had amassed over 100,000 downloads before they were used to distribute fraudulent apps, making it harder for users to detect the malicious intent behind these applications.
These fraudulent apps impersonated legitimate cryptocurrency wallets and exchanges, using familiar icons and branding, which increased their credibility and made it even more challenging for users to spot the deception. The malicious apps were distributed under various developer accounts with different package names, following the pattern co.median.android.[random string], such as co.median.android.pkmxaj for a fake PancakeSwap app and co.median.android.ljqjry for a counterfeit Suiet Wallet.
Phishing techniques used in the attack
The cybercriminals behind this operation employed two main attack methodologies. The first method involved the use of the Median framework, which allowed the quick transformation of phishing websites into Android applications. These applications contained configuration files that loaded phishing interfaces within WebView components, prompting users to enter their 12-word mnemonic phrases. The malicious apps used URLs like hxxps://pancakefentfloyd[.]cz/api.php to load these fraudulent wallet interfaces.
The second method bypassed the Median framework and simply loaded phishing websites directly into WebView components. For instance, a fraudulent application mimicking Raydium wallet used URLs such as hxxps://piwalletblog[.]blog to deceive users. In both cases, the goal was the same: to obtain sensitive information such as mnemonic phrases and private keys, which could then be used to steal cryptocurrency.
Centralised infrastructure and coordinated attack
A further investigation into the infrastructure behind this attack revealed a highly organised network of phishing domains. A single IP address, 94.156.177[.]209, was found to host over 50 different phishing domains that were part of this broader attack. These fraudulent domains, including pancakefentfloyd[.]cz, suietsiz[.]cz, hyperliqw[.]sbs, raydifloyd[.]cz, and bullxni[.]sbs, were all connected to the same network, demonstrating a well-coordinated effort to target cryptocurrency users.
This level of centralised infrastructure indicates that the attackers were working strategically to maximise the reach of their attack while minimising the likelihood of detection. The use of multiple phishing domains and different developer accounts allowed the cybercriminals to circumvent detection by Google and evade security measures.
Financial risks and security recommendations
The financial impact of this campaign is significant, with successful attacks potentially resulting in irreversible losses for cryptocurrency users. Since cryptocurrency transactions are not easily reversible like traditional bank transfers, users who fall victim to these phishing apps could lose their funds permanently.
Upon discovering the malicious applications, CRIL promptly reported them to Google, leading to the removal of most of the fraudulent apps from the Google Play Store. However, some malicious apps remained active at the time of the report.
To protect themselves from similar attacks, security experts recommend that users exercise extreme caution when downloading apps, even from official platforms like the Google Play Store. Users should download apps only from verified developers and carefully examine app reviews before installation. It is also advised that users avoid apps requesting sensitive information, such as mnemonic phrases, unless absolutely necessary.
Moreover, users should ensure that Google Play Protect is enabled on their Android devices, use multi-factor authentication wherever possible, and make use of reputable antivirus software. Enabling biometric security features, such as fingerprint or facial recognition, can also add an extra layer of protection against these types of threats.
Expert opinions on the issue
Jamie Akhtar, CEO and Co-founder at CyberSmart, commented on the discovery of these malicious apps:
“The discovery of malicious apps on Google Play once again underscores the challenges tech platforms face in curating vast digital marketplaces. Despite Google’s continuous security enhancements and app vetting processes, cybercriminals remain adept at bypassing safeguards by disguising harmful code within seemingly benign applications.”
He continued by stressing the importance of user vigilance: “For users, this serves as a critical reminder to exercise caution when downloading new apps, even those hosted on official app stores. Prior to installation, review app permissions carefully, check developer credentials, and be wary of applications requesting access to sensitive functions that aren’t essential to their stated purpose.”
Akhtar also advised users who may have downloaded any of the flagged apps to uninstall them immediately and perform a security scan on their devices. “It’s also wise to change your passwords, particularly for any accounts accessed via the device, and enable two-factor authentication where possible.”
Additionally, he recommended that users stay alert to any signs of suspicious activity, such as unusual battery drain or unexpected data usage, which could indicate a compromised device.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, also weighed in on the incident:
“The recent phishing operation targeting cryptocurrency users through compromised Google Play Store accounts highlights the evolving tactics of cybercriminals and highlights the importance of user vigilance and the limitations of relying solely on platform security measures.”
Malik explained that the attackers’ ability to exploit previously legitimate apps underscores the need for continuous assurance of even seemingly trustworthy sources.
“For cryptocurrency users, it’s a reminder of the irreversible nature of transactions and the heightened risks in this sector. It reinforces the necessity of thorough verification processes before engaging with any financial applications, regardless of their apparent legitimacy.”
He concluded by emphasising the shared responsibility in cybersecurity: “Ultimately, this case exemplifies how cybersecurity remains a shared responsibility between technology providers and end-users, with informed vigilance being a crucial defence against increasingly sophisticated threats.”
Himani Verma is a seasoned content writer and SEO expert, with experience in digital media. She has held various senior writing positions at enterprises like CloudTDMS (Synthetic Data Factory), Barrownz Group, and ATZA. Himani has also been Editorial Writer at Hindustan Time, a leading Indian English language news platform. She excels in content creation, proofreading, and editing, ensuring that every piece is polished and impactful. Her expertise in crafting SEO-friendly content for multiple verticals of businesses, including technology, healthcare, finance, sports, innovation, and more.
