In a fresh cybersecurity alert, over 22 malicious cryptocurrency wallet apps have been discovered on the Google Play Store, putting millions of Android users at risk. These apps impersonate trusted Web3 and DeFi platforms such as PancakeSwap, SushiSwap, and Hyperliquid, tricking users into entering sensitive wallet credentials.
According to a detailed report from cybersecurity firm Cyble, these apps were being used in an active phishing campaign targeting crypto investors. Users who downloaded these apps and entered their 12-word wallet recovery phrases may have unknowingly handed full control of their crypto wallets to attackers.
The Threat | Fake Wallets Masquerading as Legitimate DeFi Apps
The malicious apps closely mimic real crypto wallets, copying not just the user interface but also using nearly identical developer names and logos. Once installed, these apps prompt users to restore their wallets using a recovery phrase, a process commonly used in legitimate wallets. However, in this case, that information is transmitted directly to the attackers.
The apps have already been removed from Google Play following Cyble’s report, but many devices may still have them installed.
Full List of Flagged Apps
Cyble’s investigation found 22 deceptive applications, categorized as follows:
- Suiet Wallet – 3 fake versions
- SushiSwap Wallet – 2
- Raydium Wallet – 3
- Hyper Liquid Wallet – 4
- BullX Crypto Wallet – 2
- PancakeSwap Wallet – 1
- OpenOcean Exchange Wallet – 1
- Meteora Exchange Wallet – 1
- Harvest Finance (blog-themed app) – 1
Status: While Google has removed these apps from the Play Store, they will continue to pose a risk if not manually deleted from devices where they are already installed.
How the Attack Works
- User downloads a fake app from Google Play.
- App mimics the UI of a legitimate wallet.
- User is prompted to enter the 12-word recovery phrase.
- Data is silently sent to a remote server controlled by attackers.
- Crypto assets are accessed and drained, often without any visible trace until it’s too late.
The phishing scheme exploits users’ familiarity with wallet setup processes, leading to higher success rates than more traditional scams.
What Should Users Do Now?
1. Check for and delete malicious apps
Open Settings > Apps and check if any of the apps listed above are installed. Uninstall them immediately.
If the uninstall button is disabled, go to:
Settings > Security > Device admin apps, and revoke admin privileges before retrying.
2. Change wallet and move assets
If you’ve used a compromised app, assume your recovery phrase is exposed. Transfer assets to a new wallet and generate a new seed phrase.
3. Only use official apps
Always download wallets from the official websites or verified developer accounts. Double-check app reviews, update history, and developer info.
4. Enable Play Protect and device-level security
Google Play Protect helps flag unsafe apps, though it’s not always foolproof. Complement it with a trusted mobile antivirus and avoid sideloading APKs.
The Bigger Concern | Gaps in App Store Security
This incident reveals that despite Google’s automated scanning and security policies, threat actors continue to find creative ways to bypass detection. These apps did not contain malicious code upfront but used backend infrastructure to activate harmful behavior after installation — a tactic increasingly used in mobile cybercrime.
Security experts argue that the vetting process for crypto-related apps needs to evolve in line with the growing financial stakes of Web3 users.
Expert Insights
“Seed phrase phishing is one of the oldest attack vectors in the crypto world, yet it remains effective because of the trust users place in branded apps,” said a Cyble spokesperson in the official disclosure.
The firm recommends that crypto platforms develop publicly verifiable developer keys, and that marketplaces implement blockchain-specific security checks, especially for apps dealing with user assets.
Closing Thoughts
As cryptocurrency adoption grows globally, so do the risks associated with decentralized asset management. The tools of financial freedom also come with the burden of self-security. Mobile users must understand that recovery phrases are not meant to be entered casually, especially into apps from unverified sources.
The 22 malicious apps removed from Google Play serve as a reminder that convenience should never compromise caution. Stay updated, stay skeptical, and never share your seed phrase.
