Warning: 20 Crypto-Phishing Apps Discovered on Google Play Store—Take Action Now!

Опубликовано: 22 июня, 2025

A group of cybersecurity experts has identified 20 applications on the Google Play Store that were aimed at users of cryptocurrency wallets. A report from a cybersecurity research team revealed that these crypto-phishing tools impersonated legitimate wallets including Hyperliquid, PancakeSwap, and Raydium. Malicious actors utilized phishing methods and took control of compromised developer accounts, prompting users to input their 12-word mnemonic phrases on a bogus web wallet interface, thereby gaining access to their actual wallets, according to the report.

Crypto-Phishing Applications on Google Play Store

Researchers from Cyble Research and Intelligence Labs (CRIL) have found over 20 cryptocurrency phishing apps hosted on the Google Play Store. These applications apparently shared similar package names and descriptions with legitimate crypto wallet applications but were released under different, often compromised developer accounts. Additionally, the report notes that some of these apps were distributed under repurposed developer accounts that initially served for distributing gaming, live streaming, and video download applications.

The harmful apps identified on the Play Store also included Command and Control (C&C) URLs within their privacy policies to seem legitimate. It was reported that malicious actors utilized the Median framework to convert web pages into Android applications.

After a victim installs and launches the app, a URL, mimicking the privacy policy, redirects them to a phishing website crafted specifically to capture 12-word mnemonic phrases using a WebView. This allows the threat actors to access the victim’s crypto wallet, potentially draining all funds.

The report indicates that these applications were connected to a network of more than 50 phishing domains. Cybersecurity experts listed the following apps along with their respective package names and privacy policy URLs discovered on the Google Play Store:

Name	Package Name	Privacy Policy
Pancake Swap	co.median.android.pkmxaj	hxxps://pancakedentfloyd.cz/privatepolicy.html
Suiet Wallet	co.median.android.ljqjry	hxxps://suietsiz.cz/privatepolicy.html
Hyperliquid	co.median.android.jroylx	hxxps://hyperliqw.sbs/privatepolicy.html
Raydium	co.median.android.yakmje	hxxps://raydifloyd.cz/privatepolicy.html
Hyperliquid	co.median.android.aaxbjp	hxxps://hyperliqw.sbs/privatepolicy.html
Bulix Crypto	co.median.android.ozjwka	hxxps://bullxni.sbs/privatepolicy.html
OpenOcean Exchange	co.median.android.ozjljk	hxxps://openoceansi.sbs/privatepolicy.html
Suiet Wallet	co.median.android.mpeaaw	hxxps://suietsiz.cz/privatepolicy.html
Meteora Exchange	co.median.android.kbxqaj	hxxps://meteoraflordoverdose.sbs/privatepolicy.html
Raydium	co.median.android.epwzyq	hxxps://raydifloyd.cz/privatepolicy.html
SushiSwap	co.median.android.pkezyz	hxxps://sushijames.sbs/privatepolicy.html
Raydium	co.median.android.pkzyjr	hxxps://raydifloyd.cz/privatepolicy.html
SushiSwap	co.median.android.briljb	hxxps://sushijames.sbs/privatepolicy.html
Hyperliquid	co.median.android.djerqq	hxxps://hyperliqw.sbs/privatepolicy.html
Suiet Wallet	co.median.android.epeall	hxxps://suietwz.sbs/privatepolicy.html
Bulix Crypto	co.median.android.braqdy	hxxps://bullxni.sbs/privatepolicy.html
Harvest Finance blog	co.median.android.ljmeob	hxxps://harvestfin.sbs/privatepolicy.html
Pancake Swap	co.median.android.djrdyk	hxxps://pancakedentfloyd.cz/privatepolicy.html
Hyperliquid	co.median.android.epbdbn	hxxps://hyperliqw.sbs/privatepolicy.html
Suiet Wallet	co.median.android.noxmdz	hxxps://suietwz.sbs/privatepolicy.html

«These applications have been progressively uncovered in recent weeks, indicating a sustained and active campaign,» the researchers commented. They swiftly reported the findings to Google, resulting in the removal of these apps from the Play Store. Users are urged to take immediate measures to uninstall these apps from their devices and secure their cryptocurrency wallets.

[IMAGE_1]