TLDR
- For an extended period of five months, a malicious app posing as WalletConnect was available on Google Play, siphoning off funds from users.
- The app stole over $70,000 from more than 150 users
- The app cleverly used sophisticated techniques to fly under the radar and avoid detection.
- The malicious app had over 10,000 downloads
- This occurrence signifies the first instance where wallet drainers have focused solely on mobile users.
A malicious application posing as the familiar WalletConnect protocol successfully evaded detection on Google Play for five months, draining over $70,000 from unwary users.
The app, which racked up over 10,000 downloads, marks the inaugural case of wallet-draining software aimed squarely at mobile device users.
IT security company Check Point Research discovered the deception and thoroughly reported their findings. September 26 blog post.
Check Point Research uncovered that the counterfeit app employed advanced evasion methods to remain undetected on Google's platform from March 21 until it was recently removed.
Initially appearing on Google Play as 'Mestox Calculator,' the malicious app underwent several rebrandings.
Despite these name changes, the app's URL still directed users to what seemed like a mundane calculator website, thus managing to pass Google's rigorous approval process because the innocuous app loaded during both manual and automated checks.
The app's true intent was only unveiled when certain mobile users accessed it, triggering a redirect to a malignant back-end containing wallet-draining software known as MS Drainer.
This deceptive WalletConnect app was an imitation of the legitimate protocol widely used for connecting different crypto wallets to decentralized finance applications.
This aura of authenticity likely contributed to users' confidence in the app. Trying to connect their wallets—standard for genuine WalletConnect usage—users were duped into granting various permissions under the guise of 'verifying their wallet.'
Unbeknownst to them, they allowed the attacker's address to transfer maximum specified assets.
Check Point Research identified that more than 150 individuals fell victim to this scheme, losing nearly $70,000 collectively, although not every one of the app's more than 10,000 downloaders was affected.
Some users either refrained from connecting a wallet or were savvy enough to recognize the scam, while others possibly didn't meet the specific targeting conditions set by the malware.
The research team noted that the app's high rank in search results was inflated by fabricated reviews and consistent branding efforts.
These false reviews sometimes even extolled unrelated features, further muddying the app's actual malicious intent.
This incident showcases the escalating sophistication of cybercriminal methods in the cryptocurrency sector. Unlike older attack types based on permissions or keylogging, this app exploited smart contracts and deep links to silently siphon off assets when users fell for its trickery.
Researchers stressed the importance of being vigilant when downloading apps that appear credible.
They urged app marketplaces to enhance their verification methodologies to better safeguard users from malicious software.
Check Point Research underscored the need for continuous education within the crypto community about the hazards linked to Web3 technologies.
The case exemplifies how even seemingly innocuous engagements can result in significant financial damage.
The discovery of this wallet drainer on Google Play highlights the ever-evolving nature of threats within the crypto ecosystem.
As mobile-targeted attacks become more common, heightened security measures and increased user awareness are essential.
Google has yet to comment on the situation. The malicious app's removal from Google Play concludes its five-month run but serves as a stark reminder of the ongoing security challenges in the fast-paced world of cryptocurrency.
