Researchers discovered nearly two dozen malicious Android apps designed to steal cryptocurrency credentials and compromise wallets.
The coordinated campaign, uncovered by Cyble Research and Intelligence Labs (CRIL), is comprised of over 20 cryptocurrency phishing applications created to imitate legitimate platforms. Since CRIL reported the issue to Google, most have been removed from the Play Store with more being reported for future takedown.
“If you’ve recently downloaded any of the flagged apps, uninstall them immediately,” states Jamie Akhtar, CEO and Co-founder at CyberSmart, “and run a trusted mobile security scan. It’s also wise to change your passwords, particularly for any accounts accessed via the device, and enable two-factor authentication where possible.”
Anatomy of a Crypto Heist
Threat actors hosted these malicious applications on developer accounts that had once legitimately published apps for gaming, video downloads and livestreaming. Once compromised, these developer accounts became the vehicles for distributing fraudulent imitations of popular cryptocurrency wallets like OpenOcean Exchange, SushiSwap, Raydium, Hyperliquid, and more.
Common threads wound through the campaign’s various cryptocurrency phishing platforms, such as hiding Command and Control (C2) URLs within mandatory privacy policies and redirecting users to a screen where they would be prompted to enter their 12-word mnemonic phrase for backing up and restoring their crypto wallet.
Similar naming conventions were even used, adding unique identifiers to the end of standard strings. For example:
- Fraudulent Pancake Swap: co.median.android.pkmxaj
- Fraudulent Suiet Wallet: co.median.android.ljqjry
To avoid detection, the apps were distributed under different developer accounts. And for further obfuscation and resilience, as many as 50 phishing domains were connected to a single IP address. Once downloaded, the apps function via one of the following tactics:
- Exploiting the Median Framework | Threat actors leveraged the Median development framework to turn regular phishing websites into Android apps. These embed malicious URLs that load fake wallet interfaces via WebView.
- Direct WebView Loading | In some cases, the app bypassed the use of frameworks altogether, directly loading a malicious phishing page that looks exactly like the platform’s interface.
Facing the Fallout: The Rise of Cryptocurrency Scams
Users that downloaded the infected apps are at risk of permanent cryptocurrency loss, as blockchain transactions cannot be reversed lightly, if at all. Immutability is a core feature of blockchain technology, and it is this very permanence that ensures its safety and integrity.
According to the FBI 2023 Cryptocurrency Fraud Report, Americans lost 5.6 billion dollars in cryptocurrency fraud in 2023 alone, a 45% increase from the previous year. In 2024, 5.8 billion in losses were reported for the same reason. These cryptocurrency ploys take on many different faces:
- Fake investment platforms
- Fake wallet and exchange apps
- Pig butchering scams that build and exploit relationships
- Deepfake-driven scams
- Phishing via malicious apps
Those who believe they have been involved in a cryptocurrency scam, or any cyber-related fraudulent activity, should contact the FBI Internet Crime Complaint Center at https://www.ic3.gov.
Entering the Age of Consumer Due Diligence in DeFi
Along with deleting the compromised apps, users are encouraged to take security measures into their own hands in the future. “For users, this serves as a critical reminder to exercise caution when downloading new apps, even those hosted on official app stores,” advises Akhtar. “Prior to installation, review app permissions carefully, check developer credentials, and be wary of applications requesting access to sensitive functions that aren’t essential to their stated purpose.”
Akhtar also suggests that users add the following best practices to their security repertoire:
- Change and update passwords
- Enable two-factor authentication
- Look out for suspicious signs like battery drain, unexpected pop-ups, and data usage spikes.
And while Google offers app security through Google Play Protect, coordinated campaigns like this one demonstrate that determined cybercriminals are continuing to find ways around defenses. “[This] recent phishing operation…highlights the importance of user vigilance and the limitations of relying solely on platform security measures,” states Javvad Malik, Lead Security Awareness Advocate at Knowbe4.
And there’s a lesson for users in the DeFi app space, specifically. “For cryptocurrency users, it’s a reminder of the irreversible nature of transactions and the heightened risks in this sector,” Malik concludes. “It reinforces the necessity of thorough verification processes before engaging with any financial applications, regardless of their apparent legitimacy.”
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.