Cybersecurity researchers have identified a wave of malicious apps infiltrating the Google Play Store by posing as legitimate cryptocurrency wallets. The warning comes from threat intelligence firm Cyble, which found over 20 apps impersonating well-known crypto platforms such as PancakeSwap, SushiSwap, Hyperliquid, and Raydium. These fake apps, designed to steal users’ recovery phrases (mnemonic keys), exploit compromised developer accounts to appear authentic.
Once downloaded, the apps open phishing websites or in-app WebViews that prompt users to enter their sensitive wallet details. These credentials are then used to gain unauthorized access to real crypto wallets, allowing attackers to drain funds. Cyble emphasized that although most of these apps have already been removed, users must remain vigilant as the campaign is ongoing and new versions may still appear.
The apps exhibit suspicious patterns, including similar code structures, embedded command and control (C&C) URLs in privacy policies, and misleading app descriptions. Google has since confirmed that the flagged apps were taken down and reminded users that Play Protect offers built-in safeguards against known threats. However, security experts insist that relying on app stores alone is not enough to stay secure.
Security Experts Warn of Sophisticated Phishing Tactics
Security professionals across the industry have raised concerns about the growing complexity of these cyberattacks. Keeper Security’s Shane Barney noted that even trusted platforms like the Play Store are not immune to such threats. The malware often mimics the interface of reputable apps, effectively fooling users into entering their sensitive information.
Kevin Hoganson of iVerify added that the danger extends beyond crypto theft. Some of the apps were granted excessive permissions, such as SYSTEM_ALERT_WINDOW and Accessibility Services, allowing them to monitor clipboard activity, keystrokes, and app interactions. These features can be exploited to intercept passwords and other private data, even from secure password managers.
Security firm Black Duck’s Nivedita Murthy warned that Google does not regularly vet apps for security unless prompted by user reports. Many malicious apps capitalize on the popularity of legitimate platforms, misleading users into thinking they are installing enhanced or official versions. Cybercriminals often create nearly identical icons and names to bypass initial suspicion.
User Vigilance Is the Best Defense
With cryptocurrency becoming increasingly mainstream, so too has its appeal to cybercriminals. Experts agree that crypto wallet users must adopt stricter safety practices. ESET’s Jake Moore advised users to immediately uninstall any unverified apps and cross-check app publisher details, user reviews, and download statistics before installation.
Mark Hoganson underscored the importance of downloading apps only through direct links from official websites rather than searching app stores. He explained that threat actors often use foreground services to detect when a real wallet app is opened and then overlay fake login screens, tricking users into revealing sensitive credentials.
Ultimately, while app store vetting and protections like Google Play Protect offer some level of defense, users must take an active role in their own security. As Moore pointed out, malicious apps developers are constantly refining their techniques to stay ahead of detection. Once a digital wallet is compromised, recovery is often impossible, making prevention essential. Cyble recommends that users delete any suspicious apps and report them immediately to avoid falling victim.
