Over 20 Malicious Google Play Apps Steal Users’ Login Credentials

A major security alert has been issued for Android users after cybersecurity researchers uncovered more than 20 malicious applications on the Google Play Store designed to steal users’ login credentials, specifically targeting cryptocurrency wallet holders.

The campaign, identified by Cyble Research and Intelligence Labs (CRIL), reveals a sophisticated phishing operation that has already compromised the safety of countless users worldwide.

How the Scam Works

The malicious apps impersonate popular crypto wallets such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium, among others.

Disguised as legitimate wallet tools, these apps prompt users to enter their sensitive 12-word mnemonic or recovery phrases—the critical keys granting access to their crypto funds.

Once entered, these credentials are transmitted to attackers, who can then drain the victims’ wallets, resulting in irreversible financial losses.

Researchers found that threat actors distributed these apps through compromised or repurposed developer accounts.

Many of these accounts previously hosted genuine apps—including games, video downloaders, and live streaming tools—with some having over 100,000 downloads.

This tactic allowed the attackers to bypass initial scrutiny and gain users’ trust by leveraging the credibility of established developer profiles.

A common technique employed by the attackers is the use of the Median framework, which enables rapid conversion of phishing websites into Android applications.

These apps embed phishing URLs directly into their code or privacy policies and load fake wallet interfaces via WebView, an embedded browser window. Victims are then lured into entering their wallet credentials on these convincing but fraudulent pages.

Further investigation revealed that the infrastructure supporting this campaign is extensive: a single IP address was found hosting over 50 phishing domains, all designed to impersonate well-known crypto services.

This points to a well-coordinated and centralized operation, making detection and takedown more challenging for security teams.

Upon notification, Google removed most of the identified malicious apps from the Play Store. However, a handful remain alive as of this report, pending further action.

Users who have installed any of the affected apps are urged to delete them immediately and take steps to secure their wallets, such as changing access information and transferring funds to a secure alternative.

Protecting Yourself

Experts recommend the following steps to stay safe:

• Download apps only from verified developers and check reviews carefully.
• Never enter your 12-word mnemonic or recovery phrase into any app unless you are certain of its legitimacy.
• Use reputable antivirus and security software on all devices.
• Enable multi-factor authentication and biometric security where possible.
• Be cautious with links received via SMS or email, and ensure Google Play Protect is active on your device.

As the popularity of cryptocurrencies continues to grow, so too does the sophistication of attacks targeting digital assets. Vigilance and adherence to best security practices remain the strongest defense against these evolving threats.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates