Overview

• Cybersecurity researchers at Cyble Research and Intelligence Labs discovered more than 20 malicious cryptocurrency wallet apps on Google Play Store.
• The apps impersonated popular wallets such as Hyperliquid, PancakeSwap and Raydium by adopting similar package names and misleading descriptions.
• Threat actors embedded command-and-control URLs in app privacy policies and used the Median framework to convert phishing web pages into Android apps.
• The campaign was linked to a network of over 50 phishing domains that redirected users to fake wallet interfaces and harvested their 12-word recovery phrases.
• Google has removed the malicious apps from the Play Store and advised users to uninstall them and secure their crypto wallets.