Cyble Finds 20 Malicious Crypto Apps on Google Play; 16 Gluestack NPM Packages Hit in 950K-Download Attack

Cybersecurity researchers at Cyble Research and Intelligence Labs have identified over 20 malicious cryptocurrency wallet apps on the Google Play Store designed to steal users' wallet recovery phrases. The campaign involved apps impersonating popular crypto wallets such as PancakeSwap, Raydium, Hyperliquid, Suiet Wallet, SushiSwap, Meteora Exchange, OpenOcean Exchange, Harvest Finance Blog, and BullX Crypto.

These fraudulent apps prompted users to enter their 12-word mnemonic phrases, allowing attackers to access and empty the victims' wallets. The apps were distributed through developer accounts that previously hosted legitimate applications, some with over 100,000 downloads, and used the Median framework to quickly replicate phishing sites within the app via WebView. The phishing infrastructure behind the campaign is linked to over 50 domains.

Many of the malicious apps have been removed from Google Play, but a few remain active and have been flagged for removal. Users are urged to delete any suspicious wallet apps, avoid entering recovery phrases into unfamiliar applications, and enable security measures such as two-factor authentication.

Separately, a supply chain attack has compromised at least 16 popular Gluestack 'react-native-aria' NPM packages, affecting over 950,000 weekly downloads. Attackers injected remote access trojan (RAT) capabilities into the packages. The attack is ongoing, and the affected packages have been deprecated, though some compromised versions remain available due to dependencies.