- Fake wallet apps ask for your 12-word phrase and quietly drain your crypto funds
- CRIL found over 20 Play Store apps built solely to steal users’ crypto credentials
- Malicious apps used WebView to fake real login pages from PancakeSwap and others
New research by Cyble Research and Intelligence Labs (CRIL) has uncovered a large-scale phishing campaign involving more than 20 Android applications listed on the Google Play Store.
These apps, which appeared to be legitimate cryptocurrency wallet tools, were created with a singular purpose: stealing users’ mnemonic phrases, the crucial 12-word keys that provide full access to crypto wallets.
Once compromised, victims risk losing their entire cryptocurrency holdings, with no possibility of recovery.
How the apps work and what makes them dangerous
Many of the malicious apps were built using the Median framework, which enables the rapid conversion of websites into Android applications.
Using this method, threat actors embedded phishing URLs directly into the app code or within privacy policy documents.
These links would then load deceptive login pages via a WebView, tricking users into entering their mnemonic phrases under the false belief they were interacting with trusted wallet services such as PancakeSwap, SushiSwap, Raydium, and Hyperliquid.
For example, a fraudulent PancakeSwap app used the URL hxxps://pancakefentfloyd[.]cz/api.php, which led to a phishing page mimicking the legitimate PancakeSwap interface.
Likewise, a fake Raydium app redirected users to hxxps://piwalletblog[.]blog to carry out a similar scam.
Despite variations in branding, these apps shared a common objective: extracting users’ private access keys.
CRIL’s analysis revealed that the phishing infrastructure supporting these apps was extensive. The IP address 94.156.177[.]209, used to host these malicious pages, was linked to over 50 other phishing domains.
These domains imitate popular crypto platforms and are reused across multiple apps, indicating a centralized and well-resourced operation.
Some malicious apps were even published under developer accounts previously associated with legitimate software, such as gaming or streaming applications, further lowering user suspicion.
This tactic complicates detection, as even advanced mobile security tools may struggle to identify threats hidden behind familiar branding or developer profiles.
To protect against such attacks, CRIL advises users to download apps only from verified developers and avoid any that request sensitive information.
Using reputable Android antivirus or endpoint protection software, along with ensuring that Google Play Protect is enabled, adds an important, though not infallible, layer of defense.
Strong, unique passwords and multi-factor authentication should be standard practice, and biometric security features should be enabled when available.
Users should also avoid clicking on suspicious links received via SMS or email, and never enter sensitive information into mobile apps unless their legitimacy is certain.
Ultimately, no legitimate app should ever request a full mnemonic phrase through a login prompt. If that happens, it’s likely already too late.
Full list of the 22 fake apps to avoid
- 1. Pancake Swap
Package: co.median.android.pkmxaj
Privacy Policy: hxxps://pancakefentfloyd.cz/privatepolicy.html - 2. Suiet Wallet
Package: co.median.android.ljqjry
Privacy Policy: hxxps://suietsiz.cz/privatepolicy.html - 3. Hyperliquid
Package: co.median.android.jroylx
Privacy Policy: hxxps://hyperliqw.sbs/privatepolicy.html - 4. Raydium
Package: co.median.android.yakmje
Privacy Policy: hxxps://raydifloyd.cz/privatepolicy.html - 5. Hyperliquid
Package: co.median.android.aaxblp
Privacy Policy: hxxps://hyperliqw.sbs/privatepolicy.html - 6. BullX Crypto
Package: co.median.android.ozjwka
Privacy Policy: hxxps://bullxni.sbs/privatepolicy.html - 7. OpenOcean Exchange
Package: co.median.android.ozjjkx
Privacy Policy: hxxps://openoceansi.sbs/privatepolicy.html - 8. Suiet Wallet
Package: co.median.android.mpeaaw
Privacy Policy: hxxps://suietsiz.cz/privatepolicy.html - 9. Meteora Exchange
Package: co.median.android.kbxqaj
Privacy Policy: hxxps://meteorafloydoverdose.sbs/privatepolicy.html - 10. Raydium
Package: co.median.android.epwzyq
Privacy Policy: hxxps://raydifloyd.cz/privatepolicy.html - 11. SushiSwap
Package: co.median.android.pkezyz
Privacy Policy: hxxps://sushijames.sbs/privatepolicy.html - 12. Raydium
Package: co.median.android.pkzylr
Privacy Policy: hxxps://raydifloyd.cz/privatepolicy.html - 13. SushiSwap
Package: co.median.android.brlljb
Privacy Policy: hxxps://sushijames.sbs/privatepolicy.html - 14. Hyperliquid
Package: co.median.android.djerqq
Privacy Policy: hxxps://hyperliqw.sbs/privatepolicy.html - 15. Suiet Wallet
Package: co.median.android.epeall
Privacy Policy: hxxps://suietwz.sbs/privatepolicy.html - 16. BullX Crypto
Package: co.median.android.braqdy
Privacy Policy: hxxps://bullxni.sbs/privatepolicy.html - 17. Harvest Finance blog
Package: co.median.android.ljmeob
Privacy Policy: hxxps://harvestfin.sbs/privatepolicy.html - 18. Pancake Swap
Package: co.median.android.djrdyk
Privacy Policy: hxxps://pancakefentfloyd.cz/privatepolicy.html - 19. Hyperliquid
Package: co.median.android.epbdbn
Privacy Policy: hxxps://hyperliqw.sbs/privatepolicy.html - 20. Suiet Wallet
Package: co.median.android.noxmdz
Privacy Policy: hxxps://suietwz.sbs/privatepolicy.html - 21. Raydium
Package: cryptoknowledge.rays
Privacy Policy: hxxps://www.termsfeed.com/live/a4ec5c75-145c-47b3-8b10-d43164f83bfc - 22. PancakeSwap
Package: com.cryptoknowledge.quizzz
Privacy Policy: hxxps://www.termsfeed.com/live/a4ec5c75-145c-47b3-8b10-d43164f83bfc