- False wallet apps ask for your 12-word sentence and slowly drain your crypto funds
- Cril found over 20 Play Store Apps that are exclusively built to steal users’ crypto -AdIrimation information
- Malicious apps used webview to fake real login pages from pandakeswap and others
New research from Cible Research and Intelligence Labs (CRIL) has revealed a large-scale phishing campaign involving more than 20 Android applications listed in the Google Play Store.
These apps, which seemed to be legitimate cryptocurrency-tuktogs tools, were created for a unique purpose: to steal users’ mnemonic sentences, the crucial 12-word keys that provide full access to crypto cartoons.
Once compromised, the victims risk losing their entire cryptocurrency holdings without the possibility of improvement.
How apps work and what makes them dangerous
Many of the malicious apps were built using the median framework that enables quick conversion of sites to Android applications.
Using this method, threat actors embedded phishing -urls directly in the app code or within privacy policy documents.
These links would then load misleading login pages via a webview and fool users to get into their mnemonian sentences under the false faith, they interacted with reliable wallet services such as Pancakewap, Sushiswap, Raydium and Hyperliquid.
For example, a fraudulent Pandakewap -App used URL -HXXPS: // Pancakefentfloyd[.]CZ/API.PHP, which led to a phishing -side mimicking the legitimate Pancakewap interface.
Likewise, a false Raydium -App users redirect to Hxxps: // Piwalletblog[.]Blog to perform a similar scam.
Despite variations in branding, these apps shared a common goal: extracting users’ private access keys.
Cril’s analysis revealed that the phishing infrastructure that supports these apps was extensive. IP address 94.156.177[.]209, used to host these malicious pages, were linked to over 50 other phishing domains.
These domains mimic popular crypto platforms and are reused across multiple apps, indicating a centralized and good resource surgery.
Some malicious apps were even published under developer accounts previously associated with legitimate software, such as gaming or streaming applications, which further lowers the user’s suspicion.
This tactic complicates detection as even advanced mobile security tools can struggle to identify threats hidden behind well -known branding or developer profiles.
To protect against such attacks, Cril advises users to download only apps from verified developers and avoid anyone requesting sensitive information.
Using reputable Android Antivirus or End Point Protection Software, together to ensure that Google Play Protect is enabled, adds an important but not infallible, defense layer.
Strong, unique passwords and multi-factor approval should be standard practices and biometric security functions should be enabled when available.
Users should also avoid clicking on suspicious links received via SMS or E email and never entering sensitive information in mobile apps unless their legitimacy is secure.
In the end, no legitimate app should ever request a full mnemonic phrase through a login prompt. If that happens, it’s probably already too late.
Full list of the 22 fake apps to avoid
- 1. Pancake barter
Package: Co.median.android.pkmxaj
Privacy Policy: HXXPS: //pancakefentfloyd.cz/privatepolicy.html - 2. Suiet Wallet
Package: Co.median.android.ljqjry
Privacy Policy: HXXPS: //suietsiz.cz/privatepolicy.html - 3. Hyperliquid
Package: Co.median.android.jroylx
Privacy Policy: HXXPS: //HYPERLIQW.SBS/privatepolicy.html - 4. Raydium
Package: Co.median.android.yakmje
Privacy Policy: HXXPS: //A asydifloyd.cz/privatepolicy.html - 5. Hyperliquid
Package: Co.median.android.aaxblp
Privacy Policy: HXXPS: //HYPERLIQW.SBS/privatepolicy.html - 6. Bullx Crypto
Package: Co.median.android.ozjwka
Privacy Policy: HXXPS: //BULLXNI.SBS/privatepolicy.html - 7. Openocean Exchange
Package: Co.median.android.ozjjkx
Privacy Policy: HXXPS: //openoceansi.sbs/privatePolicy.html - 8. Suiet Wallet
Package: Co.Median.android.Mpeaaw
Privacy Policy: HXXPS: //suietsiz.cz/privatepolicy.html - 9. Meteora Exchange
Package: Co.median.android.kbxqaj
Privacy Policy: HXXPS: //Meteorafloydoversdose.SBS/privatepolicy.html - 10. Raydium
Package: Co.median.android.epwzyq
Privacy Policy: HXXPS: //A asydifloyd.cz/privatepolicy.html - 11. Sushiswap
Package: Co.median.android.pkezyz
Privacy Policy: HXXPS: //sushijames.sbs/privatepolicy.html - 12. Raydium
Package: Co.median.android.pkzylr
Privacy Policy: HXXPS: //A asydifloyd.cz/privatepolicy.html - 13. Sushiswap
Package: Co.median.android.brljb
Privacy Policy: HXXPS: //sushijames.sbs/privatepolicy.html - 14. Hyperliquid
Package: Co.median.android.djerqq
Privacy Policy: HXXPS: //HYPERLIQW.SBS/privatepolicy.html - 15. Suiet Wallet
Package: Co.median.android.peal
Privacy Policy: HXXPS: //suietwz.sbs/privatepolicy.html - 16. Bullx Crypto
Package: Co.median.android.braqdy
Privacy Policy: HXXPS: //BULLXNI.SBS/privatepolicy.html - 17. Harvest Finance Blog
Package: Co.median.android.ljmeob
Privacy Policy: HXXPS: //harvestfin.sbs/privatepolicy.html - 18. Pancake barter
Package: Co.median.android.djrddyk
Privacy Policy: HXXPS: //pancakefentfloyd.cz/privatepolicy.html - 19. Hyperliquid
Package: Co.median.android.epbdbn
Privacy Policy: HXXPS: //HYPERLIQW.SBS/privatepolicy.html - 20. Suiet Wallet
Package: Co.median.android.noxmdz
Privacy Policy: HXXPS: //suietwz.sbs/privatepolicy.html - 21. Raydium
Package: Cryptoknowledge.rays
Privacy Policy: HXXPS: //www.termsefeed.com/live/a4ec5c75-145C-47B3-8B10-D43164F83BFC - 22. Pancakeswap
Package: Com.Cryptoknowledge.quizz
Privacy Policy: HXXPS: //www.termsefeed.com/live/a4ec5c75-145C-47B3-8B10-D43164F83BFC
