All Episodes

June 17, 2025 15 mins
Protecting Your Crypto Wallets from Deceptive Apps

A critical cybersecurity threat that has impacted cryptocurrency users on the Google Play Store. In this episode of Upwardly Mobile, we uncover the alarming findings by Cyble Research and Intelligence Labs (CRIL), who identified over 20 malicious applications actively targeting crypto wallet users [1-4].

Key Discoveries and Threat Tactics:
• These deceptive apps impersonate legitimate and popular crypto wallets such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium [2-4]. They even use the icons of legitimate wallets to trick victims into trusting them [5].
• Once installed, the apps prompt users to enter their 12-word mnemonic phrases to access fraudulent wallet interfaces [2, 3, 6]. This highly sensitive information is then used by threat actors to access real wallets and drain cryptocurrency funds, leading to irreversible financial losses, as cryptocurrency transactions are not easily reversible [3, 7-9].
• The malicious apps are distributed through the Play Store under compromised or repurposed developer accounts [2-4]. Some of these accounts previously hosted legitimate apps and had amassed over 100,000 downloads, suggesting they were compromised to distribute these new malicious applications [8, 10].
• Threat actors employ consistent patterns, such as embedding phishing URLs within their privacy policies and using similar package names and descriptions [2, 5, 8]. The investigation also revealed that these apps leverage development frameworks like Median to rapidly convert phishing websites into Android apps [6, 11].
• A look into the infrastructure uncovered that the phishing URLs are hosted on IP addresses associated with over 50 other phishing domains, indicating a centralized and well-coordinated operation [7, 12-14]. This large-scale phishing infrastructure, combined with seemingly legitimate applications, makes detection challenging and extends the campaign's reach [7, 14].

The Reality of App Store Security & Why Vigilance is Key: This campaign underscores a critical mobile app security myth: mobile app stores do not guarantee the security of all apps available for download [15, 16]. Despite stringent security measures, malicious apps can and do make their way onto platforms like the Google Play Store [16-21]. Cybersecurity experts, like Jake Moore from ESET, emphasize that users must be extremely cautious and perform due diligence even when downloading from legitimate platforms, especially for apps connected to finances [17].
**Your Defense Strategy:**To safeguard your digital assets and personal information, it's crucial to follow these essential cybersecurity best practices:
• Download apps ONLY from verified developers and carefully check app reviews, publisher details, and download statistics before installing [17, 22].
• NEVER enter sensitive information like mnemonic phrases into an app unless you are absolutely certain it's the legitimate application, ideally linked directly from the official website of the crypto wallet itself [9, 22].
Enable biometric security features, such as fingerprint or facial recognition, on your mobile devices [22].
• Be extremely cautious about opening any links received via SMS or emails, as these are common phishing vectors [22].
• Ensure that Google Play Protect is enabled on your Android devices [8, 22].
For developers, it's crucial to prioritize security throughout the mobile app development lifecycle, recognizing that static defenses like code obfuscation are often insufficient [19, 23-27]. Dynamic, runtime security measures such as Runtime Application Self-Protection (RASP), Runtime Secrets Protection, and Dynamic Certificate Pinning are non-negotiable for protecting sensitive data and functionality [27]. Additionally, App Attestation and token-based API access are vital for verifying the integrity of the mobile app itself before granting API access, blocking bots, scripts, and tampered apps [27-29].

Sponsor Spotlight: This episode of "Upwardly Mobile" is proudly sponsored by Approov, the gold standard in mobile app attestation and API security. Approov helps protect mobile apps and APIs by enforcing trust boundaries between mobile clients and backend services, significantly raising the bar against malicious or unauthorized data harvesting and sophisticated attacks. Learn more about securing your mobile apps and APIs at approov.io.

Relevant Links:
• Excerpts from "Crypto Phishing Applications On The Play Store" [1-3, 5-7, 10-13, 22, 30-42]
• Excerpts from "Delete Every App On Your Smartphone That’s On This List" [4, 8, 9, 14, 17, 43-49]
• Excerpts from "Mobile App Security Myths" [15, 16, 18-21, 23-26, 50-69]

Learn more about protecting your APIs and mobile applications: .css-j9qmi7{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;font-weight:700;margin-bottom:1rem;margin-top:2.8rem;width:100%;-webkit-box-pack:start;-ms-flex-pack:start;-webkit-justify-content:start;justify-content:start;padding-left:5rem;}@media only screen and (max-width: 599px){.css-j9qmi7{padding-left:0;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;}}.css-j9qmi7 svg{fill:#27292D;}.css-j9qmi7 .eagfbvw0{-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;color:#27292D;}
Mark as Played
Transcript

Episode Transcript

Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome back to upwardly Mobile, where we really get into
the nuts and bolts of mobile app and API security.

Speaker 2 (00:07):
Keeping you up to speed on what's happening out there.
I'm George and I'm Sky.

Speaker 3 (00:11):
It's well, it's crucial.

Speaker 2 (00:12):
To stay informed, especially for developers and security folks.

Speaker 1 (00:15):
Absolutely, today we're looking at something pretty significant, a big
threat hitting mobile users, specifically targeting crypto wallets.

Speaker 2 (00:23):
Right, we're talking about a major crypto phishing campaign that
actually showed up on the Google play Store.

Speaker 1 (00:28):
Yeah, and it really shines the light on some let's say,
persistent myths about mobile app security, things we maybe take
for granted.

Speaker 3 (00:36):
Exactly, it's more than just crypto.

Speaker 2 (00:38):
It's about how attackers use trust, how they use these
you know, seemingly safe platforms. It makes you rethink your defenses.

Speaker 1 (00:45):
Okay, so let's unpack this crypto fishing campaign first, What
exactly happened? Who spotted it?

Speaker 2 (00:50):
Well, it was Cyble Research and Intelligence Lab CRIL. They
found get this over twenty malicious.

Speaker 1 (00:57):
Apps twenty on the Playstore, on.

Speaker 2 (00:59):
The Playstore, and they were all specifically designed to go
after crypto wallet users.

Speaker 1 (01:05):
Wow, okay, twenty apps getting past Google's checks. Yeah, that's concerning.
So how did the attack actually work? What was the method?

Speaker 2 (01:13):
It was basically classic fishing, but very well disguised.

Speaker 3 (01:16):
Impersonation was key.

Speaker 2 (01:18):
Impersonating what legitimate popular crypto wallets think Sushi Swap, Pancake Swap,
hyper Liquid, radium, the names people know and trust, okay,
And they didn't just use the names, they use the
actual icons from the real apps. So at first glance
they look totally Legit builds instant but false trust.

Speaker 1 (01:38):
You know, right, that makes sense, So the user downloads
it thinking it's the real deal. Yeah, then what what's
the killer move?

Speaker 2 (01:44):
Once you install it, the app hits you with a prompt.
It asks for your twelve word mnemonic.

Speaker 1 (01:49):
Phrase oof, the recovery phrase exactly.

Speaker 3 (01:52):
The keys to the Kingdom.

Speaker 2 (01:53):
It looks like a normal wallet setup screen, but the
moment you type that phrase in it's game over.

Speaker 3 (01:58):
How so, well, that go straight to the attackers. They
immediately use it to access.

Speaker 2 (02:02):
Your real wallet and just empty it, drain all the cryptos.

Speaker 1 (02:05):
And with crypto, that's usually irreversible, right, not like calling
your bank.

Speaker 2 (02:09):
Precisely, that's the sting. The immutability feature design for security
works against you here.

Speaker 3 (02:15):
Once it's gone. It's gone.

Speaker 2 (02:17):
No chargebacks, no central authority to appeal to. You're pretty
much on your own.

Speaker 1 (02:22):
A harsh lesson in self custody risks.

Speaker 2 (02:25):
Okay, so how did these apps even get onto the
Play Store? And did cur'll find any patterns connecting them?

Speaker 1 (02:31):
This is the really disturbing part. They used compromised or
like repurposed developer accounts.

Speaker 3 (02:36):
What do you mean repurpose?

Speaker 1 (02:37):
Well, some of these accounts actually used to host legitimate apps, games,
video downloaders, things like that. Some even had like over
one hundred thousand downloads.

Speaker 2 (02:46):
Historically, so they had built in credibility exactly.

Speaker 1 (02:49):
It suggests attackers took over existing accounts, maybe bought them,
maybe hag them to piggyback on that established trust makes
them harder to spot.

Speaker 3 (02:57):
Sneaky.

Speaker 2 (02:58):
Were their technical clues link these apps, like code similarities
or infrastructure?

Speaker 1 (03:02):
Oh definitely, CRIL found consistent patterns. Yeah. For instance, the
phishing command and control the C and curls were often
hidden inside the app's privacy policy.

Speaker 3 (03:11):
Text clever hiding in plain sight.

Speaker 2 (03:13):
Yeah, and they reuse package naming conventions. Lots of them
also use something called.

Speaker 3 (03:18):
The Median framework.

Speaker 2 (03:19):
Median Framework it's basically a tool to quickly wrap a
website into an Android app, So they'd just load their
phishing website directly into an app's web U component. It's
like a mini browser inside the app. Super efficient for them, like.

Speaker 1 (03:32):
An assembly line for malicious apps. Yeah, and was this
just a few random developers or something bigger?

Speaker 3 (03:38):
It looked bigger, much bigger.

Speaker 1 (03:40):
Yeah.

Speaker 2 (03:40):
When they dug into the IP addresses hosting these fishing URLs, yeah,
they found links to over fifty other fishing domains hosted
on the same infrastructure.

Speaker 1 (03:49):
Wow.

Speaker 2 (03:50):
Yeah, it points to a really centralized, coordinated operation. Makes
it much harder to detect and take down because it's
so distributed yet centrally managed.

Speaker 1 (03:58):
Okay, That level of organization is definitely sobering. It really
sets the stage for looking at those broader security myths
you mentioned. This whole incident kind of blows some of
them up, doesn't it.

Speaker 3 (04:08):
It really does.

Speaker 2 (04:09):
Let's start with a big one myth number three in
some lists, I think the idea that mobile app stores
guarantee security.

Speaker 1 (04:16):
Right, it's on the app Store, Playstore, so it must
be safe exactly.

Speaker 2 (04:20):
Developers and users often rely heavily on that. They assume
the store's review process catches everything bad.

Speaker 1 (04:25):
But clearly, as this case shows, that's not foolproof. How
do things still slip through even with Apples and Google's
massive efforts.

Speaker 2 (04:34):
Well, despite those efforts, despite the stringent checks, malicious apps
find ways in. It's a constant cat and mouse game.
We've seen it before, right, Remember back in twenty nineteen,
Android apps with millions of downloads had malware.

Speaker 1 (04:48):
I do remember that, Or even.

Speaker 2 (04:49):
On iOS, remember those seventeen apps Apple had to pull
They had clicker trojan malware doing ad frauds silently in
the background.

Speaker 1 (04:56):
Right, So the stores are a first line of defense,
maybe not.

Speaker 3 (05:00):
The only line exactly.

Speaker 2 (05:01):
Not an impenetrable fortress users, developers, everyone still needs to
be vigilant due diligence is key.

Speaker 1 (05:06):
Okay, good point. What about myth number one, the idea
that hackers only go after the big popular apps.

Speaker 2 (05:13):
Yeah, the logic is why target my small app when
they could go after Facebook?

Speaker 1 (05:17):
Makes intuitive sense. I guess bigger user based, bigger payoff.

Speaker 2 (05:20):
You'd think so, But the reality is less popular apps
are definitely targets. Sometimes they're even easier targets, the low
hanging fruit as they say, why is that because they
might have weaker security, maybe fewer resources spent on it.
But if an app handles any sensitive data financial info,
health records, personal details, it's valuable to attackers. Regardless of

(05:41):
how many users it has. The combined value from many
smaller breaches can still be huge.

Speaker 1 (05:46):
So obscurity isn't security even niche app developers need to
be on high alert.

Speaker 3 (05:51):
Absolutely, maybe even more so.

Speaker 1 (05:53):
Okay, let's tackle two myths together, then myths two and five.
Basically the idea that Android is the wild wet and
iOS is fort knox.

Speaker 2 (06:01):
Ah. Yes, a classic platform debate. Android's open, so it
must be life secure than Apple's closed garden.

Speaker 1 (06:07):
That's the common perception yet, but it's well, it's.

Speaker 3 (06:09):
More nuanced than that.

Speaker 2 (06:10):
Both platforms have their own vulnerabilities. It's actually interesting. There
was a period where exploit brokers like Zerodium started paying
more for Android zero days or for Android It suggested
Android's security had actually improved quite a bit, making those
critical exploits harder to find.

Speaker 3 (06:27):
Meanwhile, the market for.

Speaker 2 (06:28):
iOS exploits was let's say, a bit saturated at the time.

Speaker 1 (06:32):
So iOS isn't untouchable either. What kind of things have
hit iOS.

Speaker 2 (06:35):
Oh, definitely not untouchable. Think about the Pegasus spyware that
things have been around since twenty eleven targeting iOS versions
right up to like fourteen.

Speaker 1 (06:43):
Point seven, right the NSO group stuff and.

Speaker 2 (06:46):
Google's Project zero found those watering hole attacks targeting iPhones.
Just visiting a hacked website could compromise the phone. Sorry,
and remember that I message bug in twenty twenty. A
text message could allow remote code execution, no user interaction needed.

Speaker 1 (07:02):
Okay, okay. So the takeaway for developers building on either platform.

Speaker 2 (07:05):
Is don't just rely on the platform's marketing hype about security.
You have to build security in yourself. Go above and beyond,
regardless of whether it's iOS or Android. Neither one gives
you a free pass.

Speaker 1 (07:15):
Got it. Let's move to myth number four. Only jailbroken
or rooted devices are really at risk, right.

Speaker 2 (07:21):
The idea that if you haven't messed with the operating system,
you're basically safe from the nasty stuff, which.

Speaker 1 (07:26):
Sounds reasonable because rooting or jail braking does disable security features.

Speaker 2 (07:32):
It absolutely does increase risk, no question, But it's a
dangerous oversimplification to think only those devices are vulnerable.

Speaker 1 (07:40):
So standard non rooted phones are still targets for what
kind of thing?

Speaker 2 (07:44):
Oh, absolutely think about malware like event bought back in
twenty twenty. It targeted regular Android devices, stole banking info
and didn't need root access at all. Okay, and then
you have phishing, which works on any device if the
user clicks the link. Network attacks, supply chain issues these
affect everyone, rooted or not.

Speaker 1 (08:03):
So protecting against rooted devices is one thing, but your
security strategy needs to cover all devices precisely.

Speaker 2 (08:09):
You can't ignore the vast majority of users who haven't
rooted their phones.

Speaker 1 (08:13):
Okay, file myth for this section, myth number six. Yeah,
just using HTTPS for your API back end is enough
security for your mobile app?

Speaker 3 (08:20):
Ah the htttps. This one is so common and kind
of understandable.

Speaker 1 (08:25):
Because HTTPS means encryption, right, data is protected in transit.

Speaker 2 (08:29):
It does mean encryption in transit. Yes, and HTTPS is
absolutely fundamental. You must use it, But thinking it's the
only thing you need, that's where the problem lies. It's
just one piece of the puzzle.

Speaker 1 (08:39):
So if the traffic is encrypted, where's the gap? How
can attackers still get in?

Speaker 3 (08:44):
Well?

Speaker 2 (08:44):
HTTPS only protects the data while it's traveling between the
app and the server. It does nothing about vulnerabilities in
the app itself like bad code exactly, or runtime attacks
or someone messes with the app while it's running on
the device. Instrumentation frameworks like FREEDA okay, and even man
in the middle attacks can sometimes still work against HGTPS

(09:06):
if the implementation is weak like using old protocols, having
certificate issues, or if the certificate pinning isn't done right
or dynamically updated.

Speaker 1 (09:14):
And what about just reverse engineering the app to see
how it talks to the API.

Speaker 2 (09:18):
That too, Attackers can often pull the app apart see
the API calls, figure out how to make them, and
then just script attacks against your back end. HTTPS doesn't
stop them from learning how to talk to your API,
or from replicating legitimate requests from a script or bot.
Remember that Jaumie Guard a provider app. It used HGTPS
but still had issues allowingm attacks.

Speaker 1 (09:39):
So even with HGTPS sensitive data like usernames, passwords, apikeys
stored insecurely in the app, they can still be extracted or.

Speaker 2 (09:48):
Abused absolutely if the app itself isn't secure, if the
API doesn't validate who or what is calling it HTTPS
alone won't save you.

Speaker 1 (09:56):
It really drives home the need for layered security, and
so what's the bottom line for developers on this one?

Speaker 2 (10:02):
You need more secure coding inside the app, definitely, Input
validation is critical, proper access controls on the API, encrypting
sensitive data stored on the device, regular security testing, and crucially,
ways to ensure the API call is coming from a genuine,
untampered instance of your app.

Speaker 1 (10:17):
Okay, that makes sense. So we've covered the attack debunk
some pretty common myths. Now let's pivot to solutions. What
does all this mean for you, the listener, whether you're
building apps or just using them. Let's talk defense strategy
for the average user. First, what are the key practical steps?

Speaker 2 (10:35):
Okay, for users? Number one, be really careful where you
get your apps. Stick to official stores, yes, but even
then check the developer, look at reviews, publisher details, download counts,
be skeptical.

Speaker 1 (10:47):
Especially with crypto apps, it seems, definitely.

Speaker 2 (10:50):
And number two absolutely critical. Never ever enter super sensitive
info like that twelve word recovery phrase unless you are
one hundred percent sure it's the real legitimate app practice
Go to the official website of the wallet service and
use their link to find the app, don't just search
the store blandly good advice.

Speaker 1 (11:06):
What else? Basic digital hygiene.

Speaker 2 (11:08):
Yeah, the fundamentals still matter hugely. Use good anti virus
or security software on your phone and other devices. Use strong,
unique passwords everywhere. Enable multi factor authentication MFA wherever you
possibly can.

Speaker 1 (11:21):
Like authenticator apps or hardware keys.

Speaker 2 (11:23):
Exactly, use biometrics to fingerprint face, unlock on your phone,
and just be super wary of links and texts or emails.
Phishing is still incredibly effective. Oh and for Android users,
make sure Google play Protect is turned on. It does
provide a layer of scanning, the.

Speaker 1 (11:40):
Solid checklist for users.

Speaker 3 (11:41):
Yeah.

Speaker 1 (11:41):
Now let's switch hats. For the mobile developers listening, working
across iOS, Android, maybe cross platform like Flutter or React Native,
what are the actionable takeaways for them to really secure
their apps and APIs?

Speaker 2 (11:54):
For developers, the mindset has to shift. Security isn't something
you tack on at the end, to be baked in
from the start, throughout the entire development life cycle.

Speaker 1 (12:03):
And recognizing that some traditional defenses aren't enough.

Speaker 2 (12:06):
Anymore, precisely things like basic code op fustation.

Speaker 3 (12:09):
Sophisticated attackers can.

Speaker 2 (12:11):
Often get around that relatively easily these days, you need
to think about protecting the app dynamically while it's running.

Speaker 1 (12:16):
Okay, so what kind of dynamic run time security are
we talking about.

Speaker 2 (12:19):
We're talking about implementing things like our ASP runtime application
self protection are Yeah, it helps the app detect and
respond to attacks while it's running. Also things like runtime
secrets protection to shield API keys or sensitive data within
the running app, and dynamic certificate pinning, which is stronger
than static pinning. These protect the app and its data

(12:40):
in its actual operating environment, which is where many attacks
now focus.

Speaker 1 (12:44):
Makes sense protect the app itself. What about protecting the
API on the other end, ensuring it's only talking to
legitimate instances of your app, not bots or modified versions.

Speaker 2 (12:54):
That's where app attestation comes in. It's becoming really crucial.

Speaker 1 (12:58):
Explain app attestation briefly.

Speaker 2 (13:00):
Sure, It's basically a mechanism for your back end API
to verify the integrity of the app that's calling it.
Is it the genuine, untampered version of your app running
on a safe device, or is it a clone, a
tampered version, or just a script hitting your API directly?

Speaker 1 (13:15):
So it proves the app itself is trustworthy before the
API responds exactly.

Speaker 2 (13:19):
You combine app attestation with token based API access. The
app proves its integrity, gets a short lived token, and
uses that token to make API calls. This is vital
for blocking bots, scrapers, modified apps, all sorts of automated
abuse that bypasses simple API key checks.

Speaker 3 (13:37):
It enforces that trust.

Speaker 1 (13:38):
Boundary that sounds like a critical layer, especially given everything
we've discussed and speaking of solutions that enforce trust boundaries.
This episode of upwardly Mobile is proudly sponsored by Approof.
Approof specializes in mobile app attestation and API security.

Speaker 2 (13:54):
Right they help ensure that only genuine mobile app instances
can access your APIs, effectively blocking automated attacks an unauthorized
data access. It raises the bar significantly.

Speaker 1 (14:04):
You can learn more about how approof secures mobile apps
and APIs at approved dot io. So as we wrap up,
it's really clear, isn't it. The mobile security landscape just
keeps shifting.

Speaker 2 (14:13):
Constant vigilance is needed, absolutely, from developers, from users, from
everyone involved.

Speaker 3 (14:18):
This whole phishing campaign is just another reminder.

Speaker 1 (14:20):
It really makes you think, though, if even the official
app stores aren't completely safe and attackers are getting so
good at exploiting trust.

Speaker 2 (14:28):
Yeah, it poses a tough question, doesn't it. How much
responsibility falls on the developer to build apps that are
inherently resilient, almost assuming a hostile environment, and how much
is on the user to be perpetually skeptical? Where's that balance?

Speaker 1 (14:44):
That is a deep question. Is perfect security even possible?
Or is it just this continuous process, this ongoing journey
of adaptation.

Speaker 2 (14:52):
A journey definitely, and it forces you, whether you're building
or using this tech, to constantly ask am I doing enough?
What do I need to change my approach to keep up?

Speaker 1 (15:01):
Something important for all of us to consider. Thanks for
joining us for this look into mobile app and API security.

Speaker 3 (15:06):
Stay safe out there.

Speaker 1 (15:08):
This episode of upwardly Mobile was made with human sources
assisted with AI
Advertise With Us

Popular Podcasts

Law & Order: Criminal Justice System - Season 1 & Season 2

Law & Order: Criminal Justice System - Season 1 & Season 2

Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.

Dateline NBC

Dateline NBC

Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com

NFL Daily with Gregg Rosenthal

NFL Daily with Gregg Rosenthal

Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.

Music, radio and podcasts, all free. Listen online or download the iHeart App.

Connect

© 2025 iHeartMedia, Inc.