TLDR
- A crypto wallet drainer disguised as WalletConnect was on Google Play for 5 months
- The app stole over $70,000 from more than 150 users
- It used advanced evasion techniques to avoid detection
- The malicious app had over 10,000 downloads
- This marks the first time drainers exclusively targeted mobile users
A malicious cryptocurrency wallet-draining application disguised as the popular WalletConnect protocol managed to evade detection on the Google Play store for five months, stealing over $70,000 from unsuspecting users.
The app, which garnered more than 10,000 downloads, marks the first instance of wallet drainers specifically targeting mobile users.
Check Point Research, an IT security firm, uncovered the scam and detailed its findings in a September 26 blog post.
The researchers found that the fake app used sophisticated evasion techniques to remain undetected on Google’s app store from March 21 until its recent removal.
The malicious application initially appeared on Google Play under the name “Mestox Calculator” and underwent several name changes.
Despite these alterations, its application URL continued to direct users to a seemingly harmless calculator website. This tactic allowed the app to pass Google Play’s review process, as both automated and manual checks would load the innocuous calculator application.
However, the app’s true nature was revealed when users with specific IP addresses accessed it from mobile devices. In these cases, users were redirected to a malicious back-end housing the wallet-draining software known as MS Drainer.
The fake WalletConnect app mimicked the legitimate protocol, which is commonly used to link various cryptocurrency wallets to decentralized finance (DeFi) applications.
This familiarity likely contributed to users’ trust in the app. When users attempted to connect their wallets – a standard action for the real WalletConnect – they were prompted to accept various permissions to “verify their wallet.”
This action granted the attacker’s address permission to transfer the maximum amount of specified assets.
Check Point Research reported that more than 150 users fell victim to the scam, losing approximately $70,000 in total. However, not all of the app’s 10,000+ downloaders were affected.
Some users either didn’t connect a wallet or recognized the scam, while others may not have met the malware’s specific targeting criteria.
The researchers noted that the app’s high ranking in search results was achieved through fake reviews and consistent branding.
Some of these fabricated reviews even mentioned features unrelated to cryptocurrency, further obscuring the app’s true purpose.
This incident highlights the increasing sophistication of cybercriminal tactics in the cryptocurrency space. Unlike traditional attack vectors that rely on permissions or keylogging, this malicious app utilized smart contracts and deep links to silently drain assets once users were tricked into using it.
The researchers emphasized the need for users to be cautious when downloading applications, even those that appear legitimate.
They also called on app stores to improve their verification processes to prevent such malicious apps from reaching users.
Check Point Research stressed the importance of ongoing education within the crypto community about the risks associated with Web3 technologies.
They pointed out that this case illustrates how even seemingly harmless interactions can lead to significant financial losses.
The discovery of this wallet drainer on Google Play underscores the evolving nature of threats in the cryptocurrency ecosystem.
As mobile users become increasingly targeted, the need for enhanced security measures and user awareness becomes more critical.
Google has not yet responded to requests for comment on the matter. The removal of the malicious app from the Google Play store marks the end of its five-month presence, but serves as a reminder of the ongoing challenges in maintaining security in the rapidly evolving world of cryptocurrency.