Crypto Phishing Applications On The Play Store
Essential information
- Published
- 20/06/2025 19:25
- Modified
- 23/06/2025 23:13
- Tags
- 2025-06-20 android cryptocurrency google play store median framework mnemonic phrases phishing wallet impersonation webview
- Related entities
- 36 observables, 2 others
Description
An investigation uncovered more than 20 cryptocurrency phishing applications on the Google Play Store impersonating legitimate wallets like SushiSwap and PancakeSwap. These malicious apps employ phishing techniques to steal users' mnemonic phrases, allowing access to real wallets and theft of funds. The apps share common patterns, including embedded C&C URLs in privacy policies and similar package names. They are distributed through compromised developer accounts previously used for legitimate apps. Two main types were identified: those using the Median framework and those directly loading phishing URLs into WebViews. The campaign demonstrates a coordinated operation with a large-scale phishing infrastructure linked to over 50 domains.