- Fraudulent wallet applications solicit your 12-word recovery phrase and discreetly deplete your crypto assets.
- CRIL identified over 20 apps on the Play Store specifically designed to steal users’ cryptocurrency credentials.
- Malicious applications utilized WebView to replicate authentic login pages from popular platforms like PancakeSwap.
Recent findings from Cyble Research and Intelligence Labs (CRIL) have revealed a widespread phishing scheme, involving more than 20 Android applications available on the Google Play Store.
These applications, masquerading as legitimate cryptocurrency wallets, were primarily designed to steal users’ mnemonic phrases—essentially the 12-word keys that grant access to cryptocurrency wallets. Once compromised, users face the risk of losing their entire crypto holdings with no means of recovery.
Mechanisms of the Malicious Apps and Their Dangers
A significant number of these deceptive apps were developed using the Median framework, facilitating the quick transformation of websites into Android applications. This approach allowed the perpetrators to embed phishing links directly into the app’s code or within privacy policy documents.
These links directed users to misleading login pages via a WebView, tricking them into entering their mnemonic phrases, believing they were interacting with trusted wallet services like PancakeSwap and SushiSwap. For instance, a counterfeit PancakeSwap app directed users to hxxps://pancakefentfloyd[.]cz/api.php, which led to a phishing site mimicking the actual PancakeSwap interface.
Similar tactics were observed with a fraudulent Raydium application that redirected users to hxxps://piwalletblog[.]blog to execute a comparable scam. Despite differing branding, the central aim of these applications remained the same: to extract users’ private access keys.
CRIL’s investigation indicated that the phishing infrastructure supporting these apps was vast. The IP address 94.156.177[.]209 was linked to over 50 additional phishing domains that impersonated popular cryptocurrency platforms while being reused among various applications. Some of these malicious apps were even published under developer accounts previously linked to legitimate software, such as gaming or streaming apps, making them less suspicious to users.
Safety Recommendations Against These Threats
To guard against these types of attacks, CRIL urges users to download applications only from verified developers and to be wary of any that request sensitive information. Employing reliable Android antivirus programs or endpoint protection software, alongside activating Google Play Protect, constitutes a valuable, albeit not foolproof, defense mechanism. Utilizing strong, unique passwords and enabling multi-factor authentication is crucial. Additionally, users should refrain from clicking suspicious links received through SMS or email, and never input sensitive information into mobile apps unless their authenticity is verified.
In summary, no legitimate app should request a complete mnemonic phrase via a login prompt. If such a situation arises, it may signify that the user is already compromised.
Comprehensive List of the 22 Fraudulent Applications
- 1. Pancake Swap – Package: co.median.android.pkmxaj – Privacy Policy: hxxps://pancakefentfloyd.cz/privatepolicy.html
- 2. Suiet Wallet – Package: co.median.android.ljqjry – Privacy Policy: hxxps://suietsiz.cz/privatepolicy.html
- 3. Hyperliquid – Package: co.median.android.jroylx – Privacy Policy: hxxps://hyperliqw.sbs/privatepolicy.html
- 4. Raydium – Package: co.median.android.yakmje – Privacy Policy: hxxps://raydifloyd.cz/privatepolicy.html
- 5. BullX Crypto – Package: co.median.android.ozjwka – Privacy Policy: hxxps://bullxni.sbs/privatepolicy.html
- 6. OpenOcean Exchange – Package: co.median.android.ozjjkx – Privacy Policy: hxxps://openoceansi.sbs/privatepolicy.html
- 7. Meteora Exchange – Package: co.median.android.kbxqaj – Privacy Policy: hxxps://meteorafloydoverdose.sbs/privatepolicy.html
- 8. SushiSwap – Package: co.median.android.pkezyz – Privacy Policy: hxxps://sushijames.sbs/privatepolicy.html
- 9. Harvest Finance blog – Package: co.median.android.ljmeob – Privacy Policy: hxxps://harvestfin.sbs/privatepolicy.html
- 10. Pancake Swap – Package: co.median.android.djrdyk – Privacy Policy: hxxps://pancakefentfloyd.cz/privatepolicy.html
