Key Takeaways

• Over 20 malicious applications have been discovered actively targeting crypto wallet users.
• The apps impersonate popular wallets such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium.
• They prompt users to enter their 12-word mnemonic phrase to access fraudulent wallet interfaces.
• These apps are distributed through the Play Store under compromised or repurposed developer accounts.
• Threat actors employ a common set of techniques: embedding phishing URLs in privacy policies, reusing package naming patterns, and utilizing frameworks for rapid deployment.

Overview

Cyble Research and Intelligence Labs (CRIL) has identified more than 20 cryptocurrency phishing applications on the Google Play Store. These malicious apps impersonate legitimate wallets like SushiSwap, PancakeSwap, Hyperliquid, and others. They employ phishing techniques to steal users’ mnemonic phrases, which are then used to access real wallets and drain cryptocurrency funds.  

These apps have been progressively discovered over recent weeks, reflecting an ongoing and active campaign. Upon discovery, CRIL promptly reported the applications to Google, resulting in the removal of most of them from the Play Store. However, as of the time of publishing, a few of these applications are still live on the platform and have been reported for takedown.

The icons of legitimate wallets that we observed being used by the malicious applications to lure victims into trusting them have been listed below:

We also observed that these malicious applications exhibit consistent patterns, such as embedding Command and Control (C&C) URLs within their privacy policies and using similar package names and descriptions. Despite these similarities, the apps are published under different developer accounts.

These accounts were originally used to distribute legitimate apps, including gaming, video downloader, and live streaming applications, and some have amassed over 100,000 downloads. This behavior suggests that these older developer accounts have likely been compromised and are now being leveraged to distribute malicious applications.

The malicious applications we found on the Play Store stealing Mnemonic Phrases of crypto wallet applications are:

In addition to the 20 applications that shared similar privacy policies and leveraged the Median framework, we also identified two applications that used different package names and privacy policies. Despite these differences, their underlying objective remained the same: to steal users’ Mnemonic Phrases.

The following section covers the technical details of these malicious applications.

Technical Details

Type 1: Use of the Median Framework

A Threat Actor was observed leveraging the Median framework to develop Android applications. This framework enables rapid conversion of websites into Android apps. Upon analyzing the configuration file, we found that the URL “hxxps://pancakefentfloyd[.]cz/api.php” was being used, which also matches the application’s privacy policy URL.

This URL leads to a phishing website specifically designed to steal mnemonic phrases and is loaded within a WebView in the application. In this instance, the phishing site impersonates the legitimate “PancakeSwap” wallet and prompts victims to enter their 12-word mnemonic phrase to gain access to their wallet.

Type 2: Loading Phishing URL into Webview

In the second type of malicious application, the Threat Actor directly loads a phishing website into a WebView without using any development framework. The malware opens the URL “hxxps://piwalletblog[.]blog” within the WebView, impersonating the legitimate Raydium wallet. Similar to the previously observed apps, this malicious application also prompts the user to enter their 12-word mnemonic phrase.

The phishing URL “hxxps://pancakefentfloyd[.]cz”, used in one of the observed malicious applications, is hosted on the IP address 94.156.177[.]209. A deeper investigation into this infrastructure uncovered that this IP is associated with over 50 phishing domains, all connected to a broader campaign aimed at stealing mnemonic phrases from users of various cryptocurrency wallets.

These domains impersonate well-known crypto services and are designed to be loaded directly within mobile applications using WebView, making detection more challenging. The threat actor appears to be reusing this infrastructure across multiple fake apps and wallet brands, indicating a centralized and well-coordinated operation.

Conclusion

This campaign highlights a well-coordinated phishing operation targeting the rapidly growing user base of cryptocurrency wallets. By distributing over 20 counterfeit Android applications through the Google Play Store, the threat actors impersonate legitimate wallets such as PancakeSwap, SushiSwap, Raydium, and others to steal users’ mnemonic phrases—the essential keys to accessing their digital assets.

What makes this campaign particularly dangerous is the use of seemingly legitimate applications, hosted under previously benign or compromised developer accounts, combined with a large-scale phishing infrastructure linked to over 50 domains. This not only extends the campaign’s reach but also lowers the likelihood of immediate detection by traditional defenses.

If successful, these attacks can result in irreversible financial losses for victims, particularly since cryptocurrency transactions are not easily reversible or safeguarded like those in traditional banking. As the crypto ecosystem continues to expand, users must remain vigilant, and ecosystem stakeholders—including app stores, security vendors, and developers—must take proactive measures to swiftly identify, block, and report such threats.

Our Recommendations

We have outlined essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers adhere to the best practices listed below:

• Download apps only from verified developers. Check app reviews and avoid apps that request sensitive information, such as mnemonic phrases.
• Use a reputable antivirus and internet security software package on your connected devices, including PCs, laptops, and mobile devices.
• Create strong passwords and implement multi-factor authentication wherever possible.
• Where applicable, enable biometric security features, such as fingerprint or facial recognition, to unlock your mobile device.
• Be cautious about opening any links received via SMS or emails that land in your phone.
• Ensure that Google Play Protect is enabled on Android devices.

Indicators of Compromise (IOCs)

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.