- Fake wallet apps ask for your 12-word phrase and quietly dry your crypto funds
- Krill received more than 20 Play Store apps, which are only made to steal the crypto credentials of users.
- Malibly apps using webviews for fake login pages to real login pages from pancakexwap and others
In new research by Cyble Research and Intelligence Labs (CRIL) open A large -scale fishing campaign included more than 20 Android apps listed on Google Play Store.
These apps, which appear to be legitimate cryptocurrency wallet tools, were created with a unique purpose: stealing the mnemonic phrases of users, important 12-sum keys that provide full access to the crypto wallet.
Once the agreement was reached, the victims at the risk of losing their entire cryptocurrency holdings, with no possibility of recovery.
How apps work and what makes them dangerous
Many malicious apps were created using the middle framework, which enables the rapid conversion of websites to Android application.
Using this method, the danger actors embedded the Fishing URL directly into the app code or within the privacy policy documents.
These links will then load misleading login pages through a webview, help users to enter their mnemonic phrases under false belief, they were interacting with credible wallet services such as pancakexwap, sureal, radium and hyperlicid.
For example, a fraud pancakexwap app used the URL HXXPS: // Pancakefentfloyd (.) CZ/api.php, causing a fishing page to copy a valid pancakexwap interface.
Similarly, a fake radium app redesigned users to complete a similar scam to users HXXPS: // Piwalletblog.
Despite the variation in branding, these apps shared a common objective: removing the private access keys of users.
CRIL analysis showed that Fishing Infrastructure supporting these apps was widespread. The IP address is 94.156.177 (.) 209, used to host these malicious pages, more than 50 other phishing domains.
These domains mimic popular crypto platforms and are reused in many apps, indicating a centralized and well -revived operation.
Some malicious apps were also published under developer accounts already linked to valid software, such as gaming or streaming application, reducing the user’s suspicion.
This strategy complicates detection, as advanced mobile safety equipment can also struggle to identify the dangers hidden behind familiar branding or developer profiles.
To protect against such attacks, CRIL advises users only to download the app from verified developers and avoid any person requesting sensitive information.
Using iconic Android antivirus or endpoint protection software, as well as ensure that Google Play Protect is capable, adds an important, although not infallible, layer of defense.
Strong, unique passwords and multi-factor authentication should be standard exercises, and biometric safety facilities should be enabled when available.
Users should also avoid clicking on suspicious links obtained via SMS or email, and never enter sensitive information in the mobile app unless their validity is fixed.
Ultimately, any valid app should never request a complete mnemonic phrase through a login prompt. If this happens, it is already too late.
Complete list of 22 fake apps to escape
- 1. Pancake swap
Package: co.median.android.pkmxaj
Privacy Policy: HXXPS: //Pankakefentfoyd.cz/privatepolicy.html - 2. Needle wallet
Package: co.median.android.ljqjry
Privacy Policy: HXXPS: //suietsiz.cz/privatepolicy.html - 3. Hyperbola
Package: co.median.android.jroylx
Privacy Policy: HXXPS: //hyperlique - 4. Radium
Package: co.median.android.yakmje
Privacy Policy: HXXPS: //rayDifloyd.cz/privatepolicy.html - 5. Hyperbola
Package: Co.Median.android.Aaxblp
Privacy Policy: HXXPS: //hyperlique - 6. Bullux crypto
Package: co.median.android.ozjwka
Privacy Policy: HXXPS: //bullxni.Sbs/privatepolicy.html - 7. Openosian exchange
Package: co.median.android.ozjkx
Privacy Policy: Hxxps: //Openoceansi.Sbs/privatepolicy.html - 8. Needle wallet
Package: co.median.android.mpeaaw
Privacy Policy: HXXPS: //suietsiz.cz/privatepolicy.html - 9. Reverse exchange
Package: co.median.android.kbxqaj
Privacy Policy: HXXPS: //meteorafloydoverdose.sbs/privatepolicy.html - 10. Radium
Package: co.median.android.epwzyq
Privacy Policy: HXXPS: //rayDifloyd.cz/privatepolicy.html - 11. Sushaivap
Package: co.median.android.pkezyz
Privacy Policy: HXXPS: //sushijames.Sbs/privatepolicy.html - 12. Radium
Package: co.median.android.pkzylr
Privacy Policy: HXXPS: //rayDifloyd.cz/privatepolicy.html - 13. Sushaivap
Package: co.median.android.brlljb
Privacy Policy: HXXPS: //sushijames.Sbs/privatepolicy.html - 14. Hyperbola
Package: Co.Median.android.djerqq
Privacy Policy: HXXPS: //hyperlique - 15. Needle wallet
Package: co.median.android.epeall
Privacy Policy: HXXPS: //suietwz.sbs/privatepolicy.html - 16. Bullux crypto
Package: co.median.android.braqdy
Privacy Policy: HXXPS: //bullxni.Sbs/privatepolicy.html - 17. Harvest finance blog
Package: co.median.android.ljmeob
Privacy Policy: HXXPS: //harvestfin.sbs/privatepolicy.html - 18. Pancake swap
Package: co.median.android.djrdyk
Privacy Policy: HXXPS: //Pankakefentfoyd.cz/privatepolicy.html - 19. Hyperbola
Package: co.median.android.epbdbn
Privacy Policy: HXXPS: //hyperlique - 20. Needle wallet
Package: co.median.android.noxmdz
Privacy Policy: HXXPS: //suietwz.sbs/privatepolicy.html - 21. Radium
Package: Cryptoknowledge.rays
Privacy Policy: HXXPS: //www.termsfeed.com/live/a4EC75-145C-47B3-8B10-d43164f83Bfc - 22. Pancakexwap
Package: com.cryptoknowledge.quizzZZZZZZZZZZZZZOn
Privacy Policy: HXXPS: //www.termsfeed.com/live/a4EC75-145C-47B3-8B10-d43164f83Bfc
