- False portfolio applications require your 12 -words sentence and quietly drain your cryptography funds
- Cril has found more than 20 Play Store applications built only to steal user cryptographic identification information
- Malventy applications used WebView to simulate the actual PancakesWap and others connection pages
New research by Cyble Research and Intelligence Labs (CRIL) has discovered a large -scale phishing campaign involving more than 20 Android applications listed on Google Play Store.
These applications, which seemed to be legitimate cryptocurrency portfolio tools, were created for a singular purpose: stealing mnemonic sentences from users, the crucial 12-words keys that offer full access to cryptographic wallets.
Once compromised, the victims risk losing all their cryptocurrency participation, without the possibility of recovery.
How applications work and what makes them dangerous
Many malicious applications have been built using the median framework, which allows the rapid conversion of websites to Android applications.
Using this method, threat actors have integrated phishing URL directly into the application code or in privacy policy documents.
These links would then load misleading connection pages via a web view, encouraging users to enter their mnemonic sentences under the false belief that they interacted with trusted portfolio services such as Pancakeswap, Sushiswap, Raydium and Hyperliquid.
For example, a fraudulent pancakeswap application used the HXXPS: // pancakefentfloyd URL[.]CZ / API.PHP, which led to a phishing page imitating the legitimate Pancakeswap interface.
Likewise, a false Raydium application has redirected users to hxxps: // PiwalletBlog[.]Blog to make a similar scam.
Despite the variations in the brand image, these applications share a common goal: to extract private access keys from users.
Cril’s analysis revealed that phishing infrastructure supporting these applications was extended. IP address 94.156.177[.]209, used to accommodate these malicious pages, was linked to more than 50 other areas of phishing.
These areas imitate popular cryptographic platforms and are reused on several applications, indicating a centralized and in-depth operation.
Some malicious applications have even been published in the accounts of developers previously associated with legitimate software, such as game or streaming applications, further reducing the suspicion of users.
This tactic complicates detection, because even advanced mobile safety tools can find it difficult to identify hidden threats behind the brand image or familiar developer profiles.
To protect themselves against such attacks, Cril advises users to download applications only from verified developers and to avoid anything that requires sensitive information.
Using a famous Android antivirus or a termination software for termination points, as well as the guarantee that Google Play Protect is activated, adds a significant defense layer, but not infallible.
Solid and unique passwords and multi-factory authentication must be a standard practice, and biometric safety features must be activated when available.
Users must also avoid clicking on the suspicious links received by SMS or by e-mail, and never enter sensitive information in mobile applications, unless their legitimacy is certain.
In the end, no legitimate application should never request a complete mnemonic sentence via a connection prompt. If this happens, it is probably already too late.
Complete list of 22 false applications to avoid
- 1 and 1 Crêpe exchange
Package: co.median.android.pkmxaj
Privacy policy: hxxps: //pancakefentfloyd.cz/privatePolicy.html - 2 Suiet wallet
Package: co.median.android.ljqjry
Privacy policy: hxxps: //suietsiz.cz/privatePolicy.html - 3 and 3 Hyperliquidal
Package: co.median.android.jroyl
Privacy policy: hxxps: //hyperliqw.sbs/privatePolicy.html - 4 Raydium
Package: co.median.android.yakmje
Privacy policy: hxxps: //raydifloyd.cz/privatePolicy.html - 5 Hyperliquidal
Package: co.median.android.aaxblp
Privacy policy: hxxps: //hyperliqw.sbs/privatePolicy.html - 6. Crypto Bullx
Package: co.median.android.ozjwka
Privacy policy: hxxps: //bullxni.sbs/privatePolicy.html - 7 Exchange OpenOcean
Package: co.median.android.ozjjkx
Privacy policy: hxxps: //openoceansi.sbs/privatePolicy.html - 8 Suiet wallet
Package: co.median.android.mpeaaw
Privacy policy: hxxps: //suietsiz.cz/privatePolicy.html - 9. Meteor exchange
Package: co.median.android.kbxqa
Privacy policy: hxxps: //meteorafloydoverdose.sbs/privatePolicy.html - 10 Raydium
Package: co.median.android.epwzyq
Privacy policy: hxxps: //raydifloyd.cz/privatePolicy.html - 11 Sushi
Package: co.median.android.pkezyz
Privacy policy: hxxps: //sushijames.sbs/privatePolicy.html - 12 Raydium
Package: co.median.android.pkzylr
Privacy policy: hxxps: //raydifloyd.cz/privatePolicy.html - 13 Sushi
Package: co.median.android.brlljb
Privacy policy: hxxps: //sushijames.sbs/privatePolicy.html - 14 Hyperliquidal
Package: co.median.android.djerq
Privacy policy: hxxps: //hyperliqw.sbs/privatePolicy.html - 15 Suiet wallet
Package: co.median.android.epeall
Privacy policy: hxxps: //suietwz.sbs/privatePolicy.html - 16 Crypto Bullx
Package: co.median.android.braqdy
Privacy policy: hxxps: //bullxni.sbs/privatePolicy.html - 17 Harvesting financing blog
Package: co.median.android.ljmeob
Privacy policy: hxxps: //harvestfin.sbs/privatePolicy.html - 18 Crêpe exchange
Package: co.median.android.djrdyk
Privacy policy: hxxps: //pancakefentfloyd.cz/privatePolicy.html - 19. Hyperliquidal
Package: co.median.android.epbdbn
Privacy policy: hxxps: //hyperliqw.sbs/privatePolicy.html - 20 Suiet wallet
Package: Co.Median.Android.NOXMDZ
Privacy policy: hxxps: //suietwz.sbs/privatePolicy.html - 21 Raydium
Package: cryptoknowledge.rays
Privacy policy: hxxps: //www.termsfeed.com/live/A4EC5C75-145C-47B3-8B10-D43164F83BFC - 22 Pancakeswap
Package: com.cryptoknowledge.quizzz
Privacy policy: hxxps: //www.termsfeed.com/live/A4EC5C75-145C-47B3-8B10-D43164F83BFC
