20+ Malicious Apps on Google Play Actively Attacking Users to Steal Login Credentials

A sophisticated phishing operation involving more than 20 malicious applications distributed through the Google Play Store, specifically designed to steal cryptocurrency wallet credentials from unsuspecting users. 

The discovery, made by Cyble Research and Intelligence Labs (CRIL), reveals a coordinated campaign targeting popular cryptocurrency platforms including SushiSwap, PancakeSwap, Hyperliquid, and Raydium.

Exploiting Compromised Developer Accounts

The malicious applications impersonate legitimate cryptocurrency wallets and exchanges, utilizing compromised developer accounts that previously hosted legitimate gaming, video downloader, and live streaming applications. 

Some of these accounts had accumulated over 100,000 downloads before being repurposed for malicious activities, lending credibility to the fraudulent apps and making detection more challenging for users.

The threat actors employed consistent techniques across their campaign, including embedding Command and Control (C&C) URLs within privacy policies and using similar package naming patterns. 

Despite these similarities, the applications were distributed under different developer accounts to avoid detection. 

The malicious apps utilized package names following the pattern co.median.android.[random string], such as co.median.android.pkmxaj for a fake Pancake Swap application and co.median.android.ljqjry for a counterfeit Suiet Wallet.

Analysis revealed two primary attack methodologies employed by the cybercriminals. The first type leveraged the Median framework to rapidly convert phishing websites into Android applications, with configuration files containing URLs like hxxps://pancakefentfloyd[.]cz/api.php. 

These URLs load phishing interfaces within WebView components, prompting users to enter their 12-word mnemonic phrases to access fraudulent wallet interfaces.

The second approach involved directly loading phishing websites into WebView without using development frameworks, with malware opening URLs such as hxxps://piwalletblog[.]blog to impersonate legitimate services like Raydium wallet. 

Investigation into the infrastructure revealed that a single IP address (94.156.177[.]209) hosts over 50 phishing domains connected to this broader campaign.

The threat actors created an extensive network of fraudulent domains, including pancakefentfloyd[.]cz, suietsiz[.]cz, hyperliqw[.]sbs, raydifloyd[.]cz, and bullxni[.]sbs, among others. 

This centralized infrastructure indicates a well-coordinated operation designed to maximize reach while minimizing detection likelihood.

High Financial Impact

The campaign poses severe financial risks to cryptocurrency users, as successful attacks can result in irreversible losses since cryptocurrency transactions cannot be easily reversed like traditional banking transactions. 

Upon discovery, CRIL promptly reported the applications to Google, resulting in the removal of most malicious apps from the Play Store, though some remained active at the time of the report.

Security experts recommend downloading apps exclusively from verified developers and carefully checking app reviews while avoiding applications requesting sensitive information such as mnemonic phrases. 

Users should enable Google Play Protect on Android devices and implement multi-factor authentication wherever possible. Additional protective measures include using reputable antivirus software and enabling biometric security features like fingerprint or facial recognition.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar