Cybersecurity experts have uncovered a widespread malware campaign exploiting the Google Play Store to target cryptocurrency users. According to a recent report, over 20 fake crypto wallet apps mimicking trusted services have been discovered, designed to steal mnemonic phrases—the master keys to crypto wallets—and siphon off users’ funds.
These deceptive apps pose a major threat to crypto investors globally, especially those who rely on mobile platforms for asset management. The malware campaign is still active, with new fake apps being uploaded even after several have been removed by Google.
The Modus Operandi: How Fake Wallets Trick Users
The malicious apps disguise themselves as legitimate crypto wallets by copying logos, names, and UI from well-known platforms. Once installed, the apps either open a phishing website or a fake interface that prompts users to input their mnemonic phrase—a sequence of words used to recover crypto accounts.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
Anyone in possession of a mnemonic phrase can transfer the wallet’s entire balance to another address, making the theft instant and irreversible.
The report identifies nine popular wallets being impersonated, including:
- PancakeSwap
- Suiet Wallet
- Hyperliquid
- Raydium
- BullX Crypto
- OpenOcean Exchange
- Meteora Exchange
- SushiSwap
- Harvest Finance Blog
While these apps appear to be from different developers, analysts found common traits: similar app descriptions, nearly identical package names, and embedded Command and Control (C2) links hidden in their privacy policies. In many cases, legitimate developer accounts were hacked and repurposed to upload these malicious clones.
Google’s Response and Protective Measures
After being alerted, Google has begun taking down these apps from the Play Store. All reported apps have now been removed. Google also deploys Google Play Protect, which warns users or blocks harmful apps on devices running Play Services.
However, experts warn that due to the scale of the phishing operation—believed to involve 50+ fake websites—many users may have already downloaded these apps unknowingly. Google’s removal process, though ongoing, cannot retroactively protect already compromised users.
Security expert emphasized, “Users should never assume safety based on Play Store presence alone. Always verify the developer, read reviews, and check download numbers before installation.”
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
What Users Should Do Now: Steps to Stay Safe
Experts urge immediate action:
- Delete any unverified crypto wallet apps from your phone, especially if they appear on the suspicious list.
- Turn on Google Play Protect via the Play Store > Play Protect > Settings.
- Never share your mnemonic phrase or private keys with any app, link, or person.
- Download wallet apps only from the official website of the cryptocurrency service—not just from the app store.
The sophistication of these apps and the scale of their reach underscores the need for extreme caution in the digital finance ecosystem.
As cybercriminals grow smarter and phishing tactics more convincing, the only true defense remains user vigilance and trusted sources.