Over 20 Fake Mobile Apps Are Phishing Crypto Wallet Users
A recent investigation by Cyble Research and Intelligence Labs (CRIL) uncovered more than 20 malicious Android applications on the Google Play Store, specifically designed to target cryptocurrency wallet users with phishing tactics. Strikingly, these apps masquerade as well‑known wallet interfaces such as SushiSwap, PancakeSwap, Hyperliquid, Raydium (and more), tricking users into submitting their 12‑word seed phrases via fraudulent wallet screens.
How the Scam Worked?
- Impersonation of trusted brands: The apps use the names, icons, and user interfaces of real crypto wallets to appear authentic
- Mnemonic theft via embedded phishing websites: Installed apps launch webpages inside a WebView, often through frameworks like Median, prompting victims to enter their seed phrase under the guise of accessing their wallet
- Compromised or repurposed developer accounts: Surprisingly, the attackers published the fake apps using developer accounts that once hosted legitimate software—games, video downloaders, or live‑stream apps, some with over 100,000 downloads—which likely helped the apps slip past Google’s defences
- Centralised phishing infrastructure: The campaign is powered by a network of over 50 phishing domains, hosted under shared infrastructure such as the IP 94.156.177.209
Once a user enters their mnemonic, threat actors can access the genuine wallet and drain funds, with losses typically irreversible given the nature of crypto transactions
List of Malicous Apps?
CRIL uncovered a broad set of malicious apps targeting crypto users, many disguised as legitimate wallets or exchanges. Among the impersonated brands were (including package names):
- PancakeSwap (
co.median.android.pkmxaj), - Suiet Wallet (
co.median.android.ljqjry), - Hyperliquid (
co.median.android.jroylx), - Raydium (
co.median.android.yakmje), - BullX Crypto (
co.median.android.ozjwka), - OpenOcean Exchange (
co.median.android.ozjjkx), - Meteora Exchange (
co.median.android.kbxqaj), and - SushiSwap (
co.median.android.pkezyz).
Additionally, two apps using different package naming schemes—Raydium (cryptoknowledge.rays) and PancakeSwap (com.cryptoknowledge.quizzz)—were also identified as malicious, both referencing a phishing-focused privacy policy hosted via TermsFeed.
What Brands Can Do to Protect Against Fake Mobile Apps
With phishing campaigns increasingly using fake apps to impersonate trusted crypto platforms, brands can no longer afford to be passive. Here’s what your organisation can do to protect both your brand reputation and your users:
1. Implement Fake App Monitoring
Continuously scan app marketplaces (Google Play, Apple App Store, third-party APK sites) for apps impersonating your brand. Use monitoring tools or services that track keywords, developer activity, and icon/UI similarities.
2. Claim and Secure Official App Store Listings
Establish and verify your official app presence on all relevant stores—even if you’re not actively publishing—to prevent threat actors from registering similar-sounding names.
3. Set Up a Rapid Takedown Process
Have a pre-approved enforcement workflow in place to issue takedown requests to app stores and hosting providers. The faster you act, the fewer users are exposed.
4. Leverage User Reporting
Encourage your community to report fake apps. Provide clear instructions on how to verify official apps and where to report suspicious ones. The crowd can be your first alert system.
5. Monitor Developer Impersonation
Track not just your own brand, but also compromised developer accounts that may be distributing phishing apps under your name. These can appear trustworthy based on their history of legitimate apps.
Learn more about how brandsec assists brands with our advanced mobile app monitoring solution here.
Discover & Remove Fake Mobile Apps Quickly and Effortlessly with Unphish
Sign up for ea free audit and report on issues impacting your brand and digital ecosystem.
About brandsec
brandsec is a team of highly experienced domain name management and online brand protection experts. We provide corporate domain name management and brand enforcement services, helping brands eliminate phishing platforms across the internet. Supporting some of the largest brands in the region, we offer innovative solutions to combat threats across multiple industries.
