Delete all apps from this list if they are on your phone
These apps masquerade as popular services and steal cryptocurrency.Even if you only download apps from Google Play, that doesn’t always guarantee safety—especially when it comes to crypto wallets. Researchers from Cyble Research and Intelligence Labs (CRIL) have discovered over 20 malicious Android apps that disguise themselves as popular wallets and silently steal the keys to your digital assets.
The fakes copy the names, icons, and interfaces of well-known services like SushiSwap, PancakeSwap, Hyperliquid, Raydium, and others. Once on the phone, they ask the user to enter their mnemonic phrase—the 12-word “safe key” needed to restore access to a wallet. If you enter it, your funds will be instantly withdrawn by the attackers.
These apps are distributed not just anywhere but through hacked or repurposed developer accounts that previously published legitimate programs—games, video services, and streaming apps. Some of them are still available on Google Play, others have been removed after researcher complaints, but the campaign continues.
Suspicious signs are similar across all these malware apps: phishing domain links are hidden in the privacy policies, identical package naming patterns are used, and they’re all built on the same Median framework, which quickly turns websites into APK files.
Here’s the list of identified malicious apps:
| App Name | Package Identifier | Phishing Domain |
|---|---|---|
| Pancake Swap | co.median.android.pkmxaj | hxxps://pancakefentfloyd.cz/privatepolicy.html |
| Suiet Wallet | co.median.android.ljqjry | hxxps://suietsiz.cz/privatepolicy.html |
| Hyperliquid | co.median.android.jroylx | hxxps://hyperliqw.sbs/privatepolicy.html |
| Raydium | co.median.android.yakmje | hxxps://raydifloyd.cz/privatepolicy.html |
| Hyperliquid | co.median.android.aaxblp | hxxps://hyperliqw.sbs/privatepolicy.html |
| BullX Crypto | co.median.android.ozjwka | hxxps://bullxni.sbs/privatepolicy.html |
| OpenOcean Exchange | co.median.android.ozjjkx | hxxps://openoceansi.sbs/privatepolicy.html |
| Suiet Wallet | co.median.android.mpeaaw | hxxps://suietsiz.cz/privatepolicy.html |
| Meteora Exchange | co.median.android.kbxqaj | hxxps://meteorafloydoverdose.sbs/privatepolicy.html |
| Raydium | co.median.android.epwzyq | hxxps://raydifloyd.cz/privatepolicy.html |
| SushiSwap | co.median.android.pkezyz | hxxps://sushijames.sbs/privatepolicy.html |
| Raydium | co.median.android.pkzylr | hxxps://raydifloyd.cz/privatepolicy.html |
| SushiSwap | co.median.android.brlljb | hxxps://sushijames.sbs/privatepolicy.html |
| Hyperliquid | co.median.android.djerqq | hxxps://hyperliqw.sbs/privatepolicy.html |
| Suiet Wallet | co.median.android.epeall | hxxps://suietwz.sbs/privatepolicy.html |
| BullX Crypto | co.median.android.braqdy | hxxps://bullxni.sbs/privatepolicy.html |
| Harvest Finance blog | co.median.android.ljmeob | hxxps://harvestfin.sbs/privatepolicy.html |
| Pancake Swap | co.median.android.djrdyk | hxxps://pancakefentfloyd.cz/privatepolicy.html |
| Hyperliquid | co.median.android.epbdbn | hxxps://hyperliqw.sbs/privatepolicy.html |
| Suiet Wallet | co.median.android.noxmdz | hxxps://suietwz.sbs/privatepolicy.html |
Additionally, two apps using different tactics but the same goal—stealing access keys—were identified:
| App Name | Package Identifier | Phishing Domain |
|---|---|---|
| Raydium | cryptoknowledge.rays | hxxps://www.termsfeed.com/live/a4ec5c75-145c-47b3-8b10-d43164f83bfc |
| PancakeSwap | com.cryptoknowledge.quizzz | hxxps://www.termsfeed.com/live/a4ec5c75-145c-47b3-8b10-d43164f83bfc |
Some of the malware apps open phishing websites inside embedded WebViews, while others use compiled modules to load the interface. All of them lead to sites that visually mimic legitimate wallets but are actually traps. Researchers have found that these apps are connected to a shared infrastructure with over 50 phishing domains hosted on a single IP address.
This attack is particularly dangerous due to the subtle masquerade as legitimate products and the use of reputable developer accounts. For cryptocurrency users, this could mean total and irreversible loss of funds—unlike banks, there’s no way to reverse a transaction or get stolen funds back.
To protect yourself, only download wallet apps from links on the official project website. Check that none of the apps from the list are installed on your phone. Also, enable Google Play Protect—it can help block suspicious installations at an early stage.
In the digital assets era, every careless screen tap could cost you your entire wallet.
