20+ Malicious Google Play Apps Target Users for Seed Phrases -

Post Views: 122

20+ Malicious Google Play Apps Target Users for Seed Phrases

By impersonating reliable wallets and exchanges, more than 20 fraudulent apps on Google Play are stealing cryptocurrency seed phrases and endangering users’ money.

Threat intelligence company Cyble recently discovered a campaign that uses more than 20 malicious Android apps to target Bitcoin consumers through the Google Play Store.

These apps have been discovered to steal users’ 12-word mnemonic phrases, which are the keys that unlock their cryptocurrency funds while posing as reliable cryptocurrency wallets such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium.

These applications trick users into inputting private recovery phrases by imitating authentic wallet UI. Once inside, the attackers have the ability to access and empty the actual wallets. After the organization’s disclosure, Google removed a large number of these fraudulent apps; however, some are still available on the store and have been marked for removal.

How the Scam Works?

The fake apps appear under developer accounts that had hosted legitimate programs, such as games, video downloaders, and streaming tools, and bear the names and symbols of popular cryptocurrency platforms, according to Cyble’s study shared with Hackread.com. It looks like these accounts — some of which have over 100,000 downloads — were taken over and used to spread the malicious apps.

Screenshot showing a developer account that previously published legitimate apps, now used for malicious activity

In many instances, the apps swiftly convert phishing webpages into Android apps by using a development tool called the “Median framework.” These phishing pages are loaded by the apps immediately within a WebView, an embedded browser window that poses as wallet access and requests the user’s mnemonic phrase.

In addition to being large in scope, the campaign’s infrastructure is well-coordinated. The organization discovered a phishing domain that was connected to more than fifty other identical domains, all of which were part of a larger attempt to undermine wallet security.

Researchers at Cyble also observed a trend in the way these fraudulent apps function. In their privacy policies, many of them contain links that, in reality, take users to phishing websites that are made to steal their wallet recovery phrases. Additionally, the apps frequently have similar naming conventions, suggesting that automated technologies were used to produce and release them rapidly.

Furthermore, many applications are linked to the same servers or websites, demonstrating that they are a part of a more comprehensive, coordinated endeavor. The following are a few phony domains connected to these apps:

bullxnisbs
hyperliqwsbs
raydifloydcz
sushijamessbs
Pancakefentfloydcz

These domains pose as different wallet providers and display pages designed to fool users into divulging their seed phrases. Meanwhile, the corresponding organization has provided the following incomplete list of dangerous apps:

Raydium
SushiSwap
Suiet Wallet
Hyperliquid
BullX Crypto
Pancake Swap
Meteora Exchange
OpenOcean Exchange
Harvest Finance Blog

The promotion is still going on even after the applications have been removed. Some are still available on the Play Store as of this post. These apps were readily replicated using off-the-shelf frameworks, which implies that if they are not promptly stopped, the attackers might easily create more bogus apps.

There is a significant danger involved. There is no safeguard against cryptocurrency theft, in contrast to traditional banking. It is almost impossible to get the money back once a wallet has been depleted.

Security experts can use the organization’s shared detailed Indicators of Compromise (IOCs), which include phishing domains, package identifiers, and app names, to block or further investigate.

This effort also demonstrates how attackers are still using official channels, such as app stores, to target the already weak crypto field. Users continue to be at risk from these cybersecurity dangers even as app platforms strive to detect malicious uploads. Users are, therefore, advised to exercise caution and take the following precautions to keep themselves safe:

Look out for warning signs, such as low review counts, apps that have recently been republished, or links to odd URLs in privacy policies.

Steer clear of installing pointless programs.
Turn on Google Play Protect to assist in locating possibly dangerous apps.
When possible, make use of two-factor authentication and biometric security.
Always use caution while downloading programs from both official and third-party shops.
Make sure your 12-word phrase is authentic before entering it into any app or website.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

READ MORE HERE