- False wallet applications ask for their 12 -words phrase and silently drain their cryptographic funds
- Cril found more than 20 Play Store applications built only to steal user crypts
- Malicious applications used WebView to falsify real login pages of Pancakeswap and others
A new investigation by Cyble Research and Intelligence Labs (CRIL) has discovered a large -scale phishing campaign that involves more than 20 Android applications in the Google Play store.
These applications, which seemed to be legitimate cryptocurrency wallet tools, were created with a unique purpose: steal mnemonic phrases of users, the crucial keys of 12 words that provide full access to cryptographic wallets.
Once committed, the victims run the risk of losing all their cryptocurrency holdings, without the possibility of recovery.
How applications work and what makes them dangerous
Many of the malicious applications were built using the medium frame, which allows the rapid conversion of websites into Android applications.
Using this method, the threat actors integrated the Phishing URL directly into the application code or in the privacy policy documents.
Then, these links would load deceptive login pages through a web view, cheating users to enter their mnemonic phrases under the false belief that they were interacting with trusted wallet services such as Pancakeswap, Sushiswap, Raydium and hyperlychides.
For example, a fraudulent pancakep application used the URL hxxps: // pancakefentfloyd[.]CZ/API.php, which led to a Phishing page that imitated the legitimate pancakes interface.
Similarly, a false application of Raydium redirected users to hxxps: // piwalletblog[.]Blog to carry out a similar scam.
Despite the variations in the brand, these applications shared a common goal: extract the private access keys from users.
Cril’s analysis revealed that Phishing infrastructure that supports these applications was extensive. IP 94.156.177 address[.]209, used to accommodate these malicious pages, was linked to more than 50 phishing domains.
These domains imitate popular cryptographic platforms and are reused in multiple applications, indicating centralized operation and with resources well resources.
Some malicious applications were even published in developer accounts previously associated with legitimate software, such as games or transmission applications, further reducing user’s suspicion.
This tactic complicates detection, since even advanced mobile security tools can have difficulty identifying hidden threats behind the family brand or developer profiles.
To protect against such attacks, CRIL advises users to download applications only from verified developers and avoid anyone who requests confidential information.
The use of Android Android protection software or final point protection software, together with the guarantee that Google Play Protect is enabled, adds an important, but not infallible defense layer.
Strong and unique passwords and multiple factors should be a standard practice, and biometric safety characteristics should be enabled when available.
Users should also avoid clicking on suspicious links received through SMS or email, and never enter confidential information in mobile applications unless their legitimacy is safe.
Ultimately, no legitimate application must request a complete mnemonic phrase through a login message. If that happens, it is likely that it is too late.
Complete list of the 22 false applications to avoid
- 1. PANQUECES EXCHANGE
Package: Co.median.android.pkmxaj
Privacy policy: hxxps: //pancakefentfloyd.cz/privatepolicy.html - 2. Suiet wallet
Package: Co.median.android.ljqjry
Privacy policy: hxxps: //suietsiz.cz/privatepolicy.html - 3. Hyperlichid
Package: Co.median.android.jroylx
Privacy Policy: hxxps: //hyperliqw.sbs/privatepolicy.html - 4. Raydium
Package: Co.median.android.yakmje
Privacy Policy: hxxps: //raydifloyd.cz/privatepolicy.html - 5. Hyperlichid
Package: Co.median.android.axblp
Privacy Policy: hxxps: //hyperliqw.sbs/privatepolicy.html - 6. Crypto Bullx
Package: Co.median.android.ozjwka
Privacy policy: hxxps: //bullxni.sbs/privatepolicy.html - 7. Openocean exchange
Package: Co.median.android.ozjjkx
Privacy policy: hxxps: //opeceoSi.sbs/privatepolicy.html - 8. Suiet wallet
Package: Co.median.android.mpeaaw
Privacy policy: hxxps: //suietsiz.cz/privatepolicy.html - 9. Meteorite exchange
Package: Co.median.android.kbxqaj
Privacy policy: hxxps: //meteorafloydoverdose.sbs/privatepolicy.html - 10. Raydium
Package: Co.median.android.epwzyq
Privacy Policy: hxxps: //raydifloyd.cz/privatepolicy.html - 11. Sushiswap
Package: Co.median.android.pkezyz
Privacy policy: hxxps: //sushijames.sbs/privatepolicy.html - 12. Raydium
Package: Co.median.android.pkzylr
Privacy Policy: hxxps: //raydifloyd.cz/privatepolicy.html - 13. Sushiswap
Package: Co.median.android.brllJB
Privacy policy: hxxps: //sushijames.sbs/privatepolicy.html - 14. Hyperlichid
Package: Co.median.android.djerqq
Privacy Policy: hxxps: //hyperliqw.sbs/privatepolicy.html - 15. Suiet wallet
Package: Co.median.android.epeall
Privacy Policy: hxxps: //suietwz.sbs/privatepolicy.html - 16. Crypto Bullx
Package: Co.median.android.braqdy
Privacy policy: hxxps: //bullxni.sbs/privatepolicy.html - 17. Harvest Finance Blog
Package: Co.median.android.ljmeob
Privacy Policy: hxxps: //harvestfin.sbs/privatepolicy.html - 18. PANQUECES EXCHANGE
Package: Co.median.android.djrdyk
Privacy policy: hxxps: //pancakefentfloyd.cz/privatepolicy.html - 19. Hyperlichid
Package: Co.median.android.EPBDBN
Privacy Policy: hxxps: //hyperliqw.sbs/privatepolicy.html - 20. Suiet wallet
Package: Co.median.android.noxmdz
Privacy Policy: hxxps: //suietwz.sbs/privatepolicy.html - 21. Raydium
Package: Cryptoknowledge.rays
Privacy policy: hxxps: //www.termsfeed.com/live/A4ec5c75-145c-47b3-8b10-d43164f83bfC - 22. PANCAKESWAP
Package: com.cryptoknowledge.quizzz
Privacy policy: hxxps: //www.termsfeed.com/live/A4ec5c75-145c-47b3-8b10-d43164f83bfC
