Over 20 Fake Wallet Apps Harvest Sensitive Recovery Phrases, Leave Victims Vulnerable to Crypto Theft

A recent investigation by threat intelligence firm Cyble has uncovered a widespread campaign targeting cryptocurrency users through the Google Play Store with over 20 malicious Android applications. These apps, disguised as trusted crypto wallets like SushiSwap, PancakeSwap, Hyperliquid, and Raydium, have been found harvesting users’ 12-word mnemonic phrases, the keys that unlock their crypto funds.

The apps mimic legitimate wallet interfaces, luring users into entering sensitive recovery phrases under the guise of wallet access. Once entered, the attackers can access the real wallets and empty them. While Google has removed many of these fake apps following Cyble’s report, a handful remain live on the store and have been flagged for removal.

According to Cyble’s report, the fraudulent apps carry names and icons of well-known crypto platforms and appear under developer accounts that previously hosted genuine apps, including games, video downloaders, and streaming tools. These accounts, some with more than 100,000 downloads, appear to have been hijacked and repurposed to distribute the malicious apps.

The apps use a development tool known as the “Median framework” to quickly turn phishing websites into Android apps. The apps load these phishing pages directly inside a WebView, an embedded browser window, that asks users for their mnemonic phrase under the guise of wallet access. The campaign is not only widespread in scale but also coordinated in its infrastructure.

Cyble’s researchers noticed a pattern in how these fake apps operate. Many of them include links in their privacy policies that actually lead to phishing websites designed to steal users’ wallet recovery phrases. The apps also tend to follow similar naming styles, which points to the use of automated tools to quickly create and publish them.

Some of the fake domains linked to these apps impersonate various wallet providers and serve pages meant to trick users into handing over their seed phrases. For example, one domain, “sushiswap.io,” was found to be linked to over 50 similar domains, all part of the same broader effort to compromise wallet security.

Despite efforts to remove the apps, the campaign is ongoing, with a few remaining active on the Play Store. The quick replication of these apps using off-the-shelf frameworks suggests the attackers could easily spin up more fake apps if not quickly blocked. This poses a serious risk, as there is no safety net for crypto theft. Once a wallet is drained, the funds are nearly impossible to recover.

Cyble has shared detailed indicators of compromise (IOCs) including app names, package identifiers, and phishing domains, which security professionals can use to block or investigate further. Users are urged to watch out for red flags like low review counts, recently republished apps, or links to strange domains in privacy policies to protect themselves from these cybersecurity threats.

Protecting Yourself from Crypto Scams

To avoid falling victim to these scams, users should be cautious when downloading apps from the Google Play Store. Here are some steps you can take to protect yourself:

Be wary of apps with low review counts or recently republished apps.

Check the app’s developer account and look for any suspicious activity.

Be cautious of links to strange domains in the app’s privacy policy.

Never enter sensitive recovery phrases or seed phrases into an app unless you are absolutely sure it is legitimate.

By being vigilant and taking these precautions, you can protect yourself from these malicious apps and keep your cryptocurrency safe.