New Delhi, June 12, 2025: A sophisticated phishing campaign targeting cryptocurrency users has infiltrated the Google Play Store, with over 20 malicious apps masquerading as legitimate decentralized finance (DeFi) wallets. According to a report by Cyble Research and Intelligence Labs (CRIL), these counterfeit apps, mimicking trusted platforms like SushiSwap, PancakeSwap, Raydium, and Hyperliquid, are designed to steal users’ 12-word recovery phrases, granting cybercriminals full access to victims’ digital assets. Despite Google’s efforts to remove most of these apps, the ongoing campaign underscores the growing threat to crypto investors and the need for heightened vigilance.
How the Scam Operates
These fake apps employ advanced social engineering tactics to deceive users. Once installed, they prompt users to enter their 12-word mnemonic phrase—a critical security key used to access and restore cryptocurrency wallets. By mimicking the branding, logos, and user interfaces of legitimate DeFi platforms, these apps appear convincing to unsuspecting users. For example, a fake PancakeSwap app might load a phishing website via a WebView, such as “hxxps://pancakefentfloyd[.]cz,” tricking users into entering their recovery phrase under the guise of wallet restoration. Once obtained, these phrases allow attackers to drain funds instantly, with losses often irreversible due to the nature of blockchain transactions.
What makes this campaign particularly insidious is the use of compromised or repurposed developer accounts. Many of these accounts previously hosted legitimate apps, such as games or video downloaders, amassing hundreds of thousands of downloads and building trust within the Play Store ecosystem. Cybercriminals either hack these accounts or acquire them to deploy malicious apps, bypassing Google’s vetting process by leveraging their established credibility. The CRIL report also identified over 50 phishing domains linked to this campaign, indicating a highly coordinated and expansive operation.
Hidden Phishing Tactics
The fraudulent apps employ subtle but effective methods to evade detection. Many embed phishing URLs within their privacy policy documents, a tactic that exploits users’ trust in seemingly official links. For instance, one app impersonating Raydium directed users to “hxxps://piwalletblog[.]blog,” a phishing site designed to harvest recovery phrases. Others use frameworks like Median to rapidly convert phishing websites into Android apps, loading deceptive interfaces via WebView components. These tactics, combined with near-identical package names (e.g., “co.median.android.pkmxaj” for a fake PancakeSwap app), make it challenging for users to distinguish fakes from authentic apps.
List of Malicious Apps
CRIL’s investigation identified the following fake apps, which users should immediately uninstall if present on their devices:
- Suiet Wallet: co.median.android.ljqjry, co.median.android.noxmdz, co.median.android.epeall, co.median.android.mpeaaw
- SushiSwap: co.median.android.pkezyz, co.median.android.brlljb
- Raydium: co.median.android.epwzyq, co.median.android.pkzylr, co.median.android.yakmje, cryptoknowledge.rays
- Hyperliquid: co.median.android.epbdbn, co.median.android.djerqq, co.median.android.aaxblp, co.median.android.jroylx
- BullX Crypto: co.median.android.braqdy, co.median.android.ozjwka
- PancakeSwap: co.median.android.djrdyk, co.median.android.pkmxaj, com.cryptoknowledge.quizzz
- OpenOcean Exchange: co.median.android.ozjjkx
- Meteora Exchange: co.median.android.kbxqaj
- Harvest Finance Blog: co.median.android.ljmeob
This list, compiled from CRIL’s findings, reflects apps discovered as of June 6, 2025, though the campaign remains active, with new fakes potentially emerging.
Google’s Response and Ongoing Risks
Upon CRIL’s reporting, Google removed most of the identified apps from the Play Store, but a few remained active as of June 12, 2025, and have been flagged for takedown. Google Play Protect, a built-in security feature, is designed to warn or block such apps, but users must manually uninstall any already downloaded. The campaign’s scale—combined with its use of over 50 phishing domains—highlights the difficulty of detecting these threats, even on a vetted platform like the Play Store. In 2024, crypto scams generated an estimated $9.9 billion, a figure projected to grow in 2025 with AI-driven tactics enhancing their sophistication.
Steps to Protect Yourself
To safeguard your cryptocurrency assets, experts recommend the following actions:
- Uninstall Suspicious Apps: Check your device for the listed apps and remove them immediately. Navigate to Settings > Apps > [App Name] > Uninstall. If an app has Device Admin Access, disable it first.
- Protect Your Recovery Phrase: Never share your 12-word mnemonic phrase with any app or website unless verified by the official wallet provider.
- Verify Developer Credentials: Check the developer name before downloading. For example, the legitimate PancakeSwap app is published by the PancakeSwap team, not “co.median.android.pkmxaj.”
- Enable Google Play Protect: Ensure this feature is active to detect potentially harmful apps.
- Use Two-Factor Authentication (2FA): Opt for app-based 2FA over SMS to mitigate risks like SIM-swapping.
- Monitor Wallet Activity: Regularly review your wallet for unauthorized transactions and disconnect from suspicious apps.
- Stick to Official Sources: Download apps only from verified developers or official project websites, and bookmark legitimate URLs to avoid phishing clones.
- Be Wary of Red Flags: Look for low download counts, poor grammar, broken UI elements, or suspicious links in privacy policies.
Broader Implications for Crypto Users
This phishing campaign underscores the growing risks in the cryptocurrency and DeFi sectors, where adoption is surging but so are cyberattacks. The use of trusted developer accounts and polished app designs highlights the sophistication of modern scams. As noted by Jake Moore from ESET, “It’s even more serious when bad apps get into the Play Store, which is supposed to be safe.” Unlike traditional banking, cryptocurrency transactions are often irreversible, making prevention critical.
For iPhone users, while Apple’s App Store has stricter review processes, similar scams can target iOS through fake websites or unofficial app sources. Sticking to official channels and avoiding suspicious links in emails or texts is crucial.
Staying Ahead of the Threat
The CRIL report serves as a wake-up call for crypto investors, emphasizing the need for vigilance in a rapidly evolving digital landscape. As cybercriminals exploit the credibility of platforms like Google Play, users must prioritize security practices to protect their assets. Regularly updating antivirus software, enabling 2FA, and verifying app authenticity are essential steps to stay safe.
If you suspect you’ve fallen victim, immediately disconnect your wallet from the app, revoke permissions, and consider resetting your wallet to a new seed phrase after securing your device. Reporting suspicious apps to Google and sharing IOCs (Indicators of Compromise) with the crypto community can help mitigate further damage.
As the crypto scam landscape evolves, staying informed and cautious is the best defense. Re-examine your installed apps today to ensure your digital wealth remains secure.
Tags: #CryptocurrencyNews #CryptoScam #CryptoWallet #DeFiSecurity #DigitalWalletSecurity #FakeWalletApps #GooglePlayStore #PhishingScam #ProtectYourCrypto #RecoveryPhrase