At least 20 cryptocurrency phishing apps were found on the Google Play Store with the sole purpose of draining cryptocurrency wallets.
Cyble Research and Intelligence Labs (CRIL) has identified several phishing apps on the Google Play Store that act as real wallets to steal cryptocurrency.
The apps these scammers copy include SushiSwap, PancakeSwap, Hyperliquid, and Raydium.
“These apps have been progressively discovered over recent weeks, reflecting an ongoing and active campaign,” Cyble said.
The apps use phishing techniques to harvest mnemonic phrases, a string of random words that function as a backup to recover a cryptocurrency wallet if the user's private key is lost or even stolen.
After finding the apps, the research team reported them to Google, which took most of them down.
The researchers observed that these malicious applications “exhibit consistent patterns, such as embedding Command and Control (C&C) URLs within their privacy policies and using similar package names and descriptions.”
However, the apps were published under different developer accounts, and these accounts were initially used to distribute legitimate apps, Cyble said.
“In addition to the 20 applications that shared similar privacy policies and leveraged the Median framework, we also identified two applications that used different package names and privacy policies.”
Threat actors have been observed leveraging the Median framework to develop Android apps.
Researchers gave the example of one URL leading to a phishing website designed to steal mnemonic phrases.
The site acts as a legitimate cryptocurrency wallet, urging users to enter their 12-word mnemonic phrase in order to obtain access to their wallet.
Researchers used the example of one of the fake apps, which has a URL associated with the fake PancakeSwap app. The app is hosted by an IP address linked to 50 other phishing domains.
These domains are all “connected to a broader campaign aimed at stealing mnemonic phrases from users of various cryptocurrency wallets.”
All domains are designed to steal cryptocurrency by using the same infrastructure across various malicious apps.
Researchers said this campaign is well coordinated, especially dangerous, and likely to go undetected by conventional security systems.
“If successful, these attacks can result in irreversible financial losses for victims, particularly since cryptocurrency transactions are not easily reversible or safeguarded like those in traditional banking,” Cyble said.
Your email address will not be published. Required fields are markedmarked