A cybersecurity firm has discovered 20 apps in the Google Play Store that imitate legitimate cryptocurrency wallets. The apps attempt to collect sensitive information, such as a user’s recovery phrase, allowing cybercriminals to steal their funds.
The findings, detailed in a report from Cyble Research and Intelligence Labs, provide an insight into the latest methods used by online thieves.
Malicious apps
By compromising legitimate developer accounts on Google Play, Cyble’s report says, scammers are able to upload apps that pose as legitimate crypto wallets, including Hyperliquid, PancakeSwap, Raydium and SushiSwap.
“These accounts were originally used to distribute legitimate apps, including gaming, video downloader and live streaming applications, and some have amassed over 100,000 downloads,” the report says. “This behavior suggests that these older developer accounts have likely been compromised and are now being leveraged to distribute malicious applications.”
The hostile apps ask for a user’s 12-word mnemonic phrase through phishing, an attack employed by hackers to fool targets into providing sensitive information. The phrases allow users to regain control of their crypto funds if they lose access to the device where the wallet was originally stored.
A successful attack can leave users facing irreversible financial losses.
Cyble claims it alerted Google to the presence of the malicious apps on the Play Store. Many, but not all, were removed.
“What makes this campaign particularly dangerous is the use of seemingly legitimate applications, hosted under previously benign or compromised developer accounts, combined with a large-scale phishing infrastructure linked to over 50 domains,” the report said. “This not only extends the campaign’s reach but also lowers the likelihood of immediate detection by traditional defenses.”
Security recommendations
Cyble recommends that users download apps only from verified developers to avoid falling victim to crypto theft. App reviews should be checked, and any app that requests sensitive information, such as recovery phrases, should be avoided. Android users can also enable Google Play Protect in the app store, a built-in security feature that scans apps for potentially harmful features.
Other tips include using a reputable antivirus service, creating strong passwords and enabling two-factor authentication when available. Crypto holders should also be suspicious of any phone calls or texts asking for information related to their digital funds.
