We install several apps on our smartphones, mostly using the Google Play Store. While apps listed in the Play Store are supposed to be properly vetted and safe for our devices and data, there are some that manage to sneak in despite Google’s strict policies. According to Cyble Research and Intelligence Labs (CRIL), more than 20 malicious cryptocurrency wallet apps have been discovered on the Google Play Store, posing a significant threat to users by stealing sensitive wallet recovery information. According to the report, these apps are part of an active phishing campaign targeting users of popular decentralised finance (DeFi) wallets, including SushiSwap, PancakeSwap, Hyperliquid, and Raydium.
Why are these apps dangerous?
According to the report, once installed, these apps prompt users to enter their 12-word wallet recovery phrase. This phrase is critical for accessing and restoring crypto wallets. By tricking users into providing it, threat actors can take full control of victims’ wallets and transfer all assets.
How they operate?
The apps are distributed through repurposed developer accounts — previously used for legitimate apps such as gaming or video tools, which may have already earned user trust. They employ phishing URLs embedded in their privacy policies, use similar package names, and apply identical user interface designs to deploy quickly and widely.
List of affected apps
- Suiet Wallet - co.median.android.ljqjry
- SushiSwap - co.median.android.pkezyz
- Raydium - co.median.android.epwzyq
- Hyperliquid - co.median.android.epbdbn
- BullX Crypto - co.median.android.braqdy
- Pancake Swap - co.median.android.djrdyk
- OpenOcean Exchange - co.median.android.ozjjkx
- Raydium - co.median.android.pkzylr
- Hyperliquid - co.median.android.djerqq
- Suiet Wallet - co.median.android.noxmdz
- Suiet Wallet - co.median.android.epeall
- SushiSwap - co.median.android.brlljb
- Meteora Exchange - co.median.android.kbxqaj
- BullX Crypto - co.median.android.ozjwka
- Suiet Wallet - co.median.android.mpeaaw
- Hyperliquid - co.median.android.aaxblp
- Raydium - co.median.android.yakmje
- Hyperliquid - co.median.android.jroylx
- Pancake Swap - co.median.android.pkmxaj
- Harvest Finance blog - co.median.android.ljmeob
- Hyperliquid - co.median.android.epbdbn
- Raydium - co.median.android.epwzyq
Delete any of the listed apps from your device
- Never enter your wallet’s recovery phrase in unofficial apps.
- Reinstall wallet apps only via verified sources.
- Enable two-factor authentication where available.
- Monitor crypto wallet activity regularly for suspicious transactions.
How to delete these apps from your device
- Open Settings
- Tap Apps or Apps & notifications
- Scroll and locate any suspicious wallet apps listed above
- Tap the app > Select Uninstall
- If the uninstall is blocked due to device admin access:
- Go to Settings > Security > Device admin apps
- Disable access, then return to uninstall
- Note: The process of uninstalling an app from the Google Play Store may vary depending on the device.
Source: Moneycontrol
