All these apps are dangerous
Republished on June 10 with further expert security analysis on this threat and new advice for users on staying safe when installing apps from Google’s Play Store.
You probably have at least 100 apps on your phone — likely more. And there’s plenty of choice, almost 2 million apps on Apple’s App Store and nearer 3 million on Google’s Play Store. You’re urged only to install apps from official stores, but sometimes even that doesn’t keep you safe. So it is with a new list of apps you must delete right now.
This list comes courtesy of Cyble, whose researchers discovered a raft of apps had tricked their way onto Play Store despite mimicking the names and icons of legitimate digital wallets. Once installed and opened, the apps open a phishing website or an in-app WebView, requesting the mnemonic phrases that can be used to empty the wallet.
Cyble found more than 20 apps, “targeting crypto wallet users” by impersonating “popular wallets such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium,” and tricking users into dangerous Play Store installs by using “compromised or repurposed developer accounts.” The targeted wallets (and app names) are listed below.
There are 9 wallets being mimicked, but that list could grow. There are more than 20 apps currently identified, but the campaign is live and so that will expand. Focus on the wallet/app name not the app identifier, albeit package names are in Cyble’s report.
Fake wallets apps.
- Pancake Swap
- Suiet Wallet
- Hyperliquid
- Raydium
- BullX Crypto
- OpenOcean Exchange
- Meteora Exchange
- SushiSwap
- Harvest Finance Blog
The apps seem to come from different developers, but “exhibit consistent patterns, such as embedding Command and Control (C&C) URLs within their privacy policies and using similar package names and descriptions.” Those developer accounts once distributed legitimate apps, but have been compromised for this malicious campaign.
Cyble warns these apps “employ phishing techniques to steal users’ mnemonic phrases, which are then used to access real wallets and drain cryptocurrency funds.” The apps were not discovered all at once, but over recent weeks. And as they’re reported they’re being removed from Play Store. Check the list above and delete any on your phone. And also ensure that Google’s Play Protect is always enabled on your phone.
Keeper Security’s Shane Barney warns that “even trusted platforms like the Play Store aren’t immune to today’s increasingly complex cybersecurity threats. The phishing apps used in this campaign mimic popular crypto wallets such as SushiSwap, PancakeSwap, Hyperliquid and Raydium – luring users into handing over their 12-word recovery phrases – essentially the keys to their digital assets.”
Cyble says “these apps have been progressively discovered over recent weeks, reflecting an ongoing and active campaign,” and all were reported to Google. Most were already removed prior to publication, while the rest “have been reported for takedown.”
Google told me that “all of the identified malicious apps from this report have been removed from Google Play,” and that “users are automatically protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services”
But Black Duck’s Nivedita Murthy points out that “applications on the Google Play Store platform are not vetted for security regularly unless someone reports them. It is expected that the developer/the company that creates these apps do it. More often than not, we see apps that ride on the popularity of other mobile apps and market themselves as an enhanced version of the original one. Users should always download legitimate apps created by the company as listed on their website and not by searching Play Store.”
In light of this, ESET’s Jake Moore has now warned “anyone with crypto wallets to immediately uninstall any app that isn’t verified as well as cross‑checking app publisher details, reviews and download stats before installing.” That takes some effort, but the risks are just not worth taking. The fact these apps tricked their way onto Play Store means it’s critical to adopt these measures.
iVerify’s Kevin Hoganson told me “it’s extremely tricky where the user unknowingly had an application installed on their mobile device that now accomplishes two things: 1) the surprisingly clever tactic of impersonating the login interface of a reputable application to hijack credentials; 2) potentially leveraging its extensive privileges to monitor the user’s use of credentials (and this includes things that may be copied over from legitimate password manager applications, or pasted from other sources).”
What that means is “monitoring things like the user’s clipboard (via copy-and-paste) and keystrokes, plus interactions with the UI through Accessibility Services. Accessibility Services can observe text fields, input across apps, etc. so some malware strains may proactively exploit this feature.” And that extends the threat far beyond just the crypto wallet login, through the abuse of app permissions.
Fake wallets apps
Moore says “malware is often hidden inside Trojan apps found on third-party app stores but it can be far more damning when they appear on the main Play Store, which typically has far more stringent security checks. As with any software, it is always wise to install with extreme caution, especially when it has been developed from an unknown location. But even when they are downloaded from legitimate platforms it is wise to carry out full due diligence especially when such apps are connected to finances.”
“What makes this campaign particularly dangerous,” the Cyble researchers say, “is the use of seemingly legitimate applications… combined with a large-scale phishing infrastructure linked to over 50 domains. This not only extends the campaign’s reach but also lowers the likelihood of immediate detection by traditional defenses.”
According to Moore, “malicious actors continue to develop more sophisticated malware that can be extremely invasive and they know too well that their victims are often too quick to install without proper research.” The fact that these apps could easily mimic real-world crypto wallets and leverage their brands to attack Play Store users demonstrates the need for users to look for telltale signs before installing.
Hoganson also warns that “the SYSTEM_ALERT_WINDOW permission is particularly dangerous here because it enables a malicious application to draw a legitimate looking interface over top of the entire screen. It’s likely a core part of the tactic which enables an adversary to impersonate a legitimate crypto wallet management application, especially those which are reputable and trusted within the community.”
This means, Hoganson says, “an adversary could feasibly leverage a foreground service to monitor which application is in focus, wait until it’s the crypto management application, and then trigger the fake login screen to social engineer the user into authenticating with their passphrase mnemonic, even though these credentials would ultimately be exfiltrated from the target device and processed by attack servers for immediate (read as: automated) or future use.”
“Too often,” Barney says, “users assume that if an app is available in an official store, it must be safe. While it’s always recommended to download apps from official sources, that alone is not a guarantee that the app is secure. Attackers are getting smarter, using compromised or repurposed developer accounts and embedding phishing infrastructure in ways that can slip past casual scrutiny.”
There’s no safety net with digital wallets. Losses wont be recovered. Do not install apps unless you know they’re provided by the entity behind the wallet itself and you’ve linked to the app from the actual website. If you have any of these apps, delete them.
