Do Son 
Malicious application impersonating SushiSwap wallet
Even if you download applications exclusively from Google Play, this does not always guarantee safety—particularly when it comes to cryptocurrency wallets. Researchers at Cyble Research and Intelligence Labs (CRIL) have uncovered over 20 malicious Android applications that masquerade as popular wallet apps, stealthily exfiltrating the private keys to users’ digital assets.
These counterfeit apps mimic the names, icons, and interfaces of renowned services such as SushiSwap, PancakeSwap, Hyperliquid, Raydium, and others. Once installed, they prompt users to input their mnemonic phrase—the twelve-word “vault key” required to restore wallet access. Entering it leads to an immediate theft of funds by malicious actors.
These applications are not spread haphazardly, but through compromised or repurposed developer accounts that previously published legitimate software—games, video platforms, and streaming services. Some of the fake apps remain available on Google Play, while others were removed following researchers’ reports. Nonetheless, the campaign continues.
The malware strains share telltale signs: phishing domains embedded within privacy policies, identical naming schemes for app packages, and reliance on the same development framework—Median—which swiftly converts websites into APK files.
Below is a list of the identified malicious applications:
| Application Name | Package Identifier | Phishing Domain |
|---|---|---|
| Pancake Swap | co.median.android.pkmxaj | hxxps://pancakefentfloyd.cz/privatepolicy.html |
| Suiet Wallet | co.median.android.ljqjry | hxxps://suietsiz.cz/privatepolicy.html |
| Hyperliquid | co.median.android.jroylx | hxxps://hyperliqw.sbs/privatepolicy.html |
| Raydium | co.median.android.yakmje | hxxps://raydifloyd.cz/privatepolicy.html |
| Hyperliquid | co.median.android.aaxblp | hxxps://hyperliqw.sbs/privatepolicy.html |
| BullX Crypto | co.median.android.ozjwka | hxxps://bullxni.sbs/privatepolicy.html |
| OpenOcean Exchange | co.median.android.ozjjkx | hxxps://openoceansi.sbs/privatepolicy.html |
| Suiet Wallet | co.median.android.mpeaaw | hxxps://suietsiz.cz/privatepolicy.html |
| Meteora Exchange | co.median.android.kbxqaj | hxxps://meteorafloydoverdose.sbs/privatepolicy.html |
| Raydium | co.median.android.epwzyq | hxxps://raydifloyd.cz/privatepolicy.html |
| SushiSwap | co.median.android.pkezyz | hxxps://sushijames.sbs/privatepolicy.html |
| Raydium | co.median.android.pkzylr | hxxps://raydifloyd.cz/privatepolicy.html |
| SushiSwap | co.median.android.brlljb | hxxps://sushijames.sbs/privatepolicy.html |
| Hyperliquid | co.median.android.djerqq | hxxps://hyperliqw.sbs/privatepolicy.html |
| Suiet Wallet | co.median.android.epeall | hxxps://suietwz.sbs/privatepolicy.html |
| BullX Crypto | co.median.android.braqdy | hxxps://bullxni.sbs/privatepolicy.html |
| Harvest Finance Blog | co.median.android.ljmeob | hxxps://harvestfin.sbs/privatepolicy.html |
| Pancake Swap | co.median.android.djrdyk | hxxps://pancakefentfloyd.cz/privatepolicy.html |
| Hyperliquid | co.median.android.epbdbn | hxxps://hyperliqw.sbs/privatepolicy.html |
| Suiet Wallet | co.median.android.noxmdz | hxxps://suietwz.sbs/privatepolicy.html |
Additionally, two more apps were found employing alternate tactics, though with the same malicious intent of key theft:
| Application Name | Package Identifier | Phishing Domain |
|---|---|---|
| Raydium | cryptoknowledge.rays | hxxps://www.termsfeed.com/live/a4ec5c75-145c-47b3-8b10-d43164f83bfc |
| PancakeSwap | com.cryptoknowledge.quizzz | hxxps://www.termsfeed.com/live/a4ec5c75-145c-47b3-8b10-d43164f83bfc |
Some of the malware opens phishing websites within embedded WebView components, while others utilize compiled modules to load deceptive interfaces. All lead to websites meticulously designed to mirror legitimate wallets but are, in fact, traps. Researchers discovered that these apps are tied to a shared infrastructure involving over 50 phishing domains hosted on a single IP address.
This attack is particularly insidious due to its sophisticated disguise as authentic products and its use of previously reputable developer accounts. For cryptocurrency users, the consequences can be catastrophic and irreversible—unlike traditional banking systems, there is no recourse for reversing transactions or retrieving stolen funds.
To protect yourself, download wallet apps only from links provided on the official project website. Examine your device for any apps from the above list, and enable Google Play Protect, which may help detect and block suspicious installations early.
In the era of digital assets, a single careless tap may cost you your entire wallet.
Donate