Crypto Wallet Drainer on Google Play Steals $70K Over Five Months

Analysis

September 30, 2024 1:57 PM

In Brief:
Check Point Research discovered a malicious app on Google Play that drained $70,000 from crypto wallets over five months, using advanced evasion techniques to target mobile users.
The app, disguised as WalletConnect, used fake reviews and branding to achieve over 10,000 downloads before being removed from the store.

Crypto Wallet Drainer on Google Play Steals $70K Over Five Months

IT security firm Check Point Research has uncovered a malicious crypto wallet drainer app on the Google Play store, which stole over $70,000 from users over five months. The app, masquerading as the well-known WalletConnect protocol, marks the first time drainers exclusively targeted mobile users.

The app used advanced evasion techniques to remain undetected, achieving over 10,000 downloads by leveraging fake reviews and consistent branding. While not all users fell victim, over 150 individuals were drained of funds, as some did not connect a wallet or met specific targeting criteria.

Some of the faked reviews on the spoofed WalletConnect app mentioned features that had nothing to do with crypto. Source: Check Point Research

Advanced Evasion Techniques and User Targeting

The malicious app first appeared on Google Play on March 21 under the name "Mestox Calculator" and underwent several name changes. Its URL pointed to a seemingly harmless calculator website, allowing it to pass Google's app review process. However, depending on the user's IP address and device, they were redirected to the wallet-draining software MS Drainer.

The fake WalletConnect app prompted users to connect a wallet, a seemingly normal request, but then asked for permissions that allowed attackers to transfer assets. The app prioritized withdrawing more expensive tokens first, followed by cheaper ones.

A diagram of how the fake WalletConnect app worked to drain certain user funds. Source: Check Point Research

Check Point Research highlighted the sophistication of this attack, which relied on smart contracts and deep links rather than traditional methods like permissions or keylogging. The incident underscores the need for users to be cautious with app downloads and for app stores to enhance verification processes.

Educating Users on Web3 Risks

The crypto community must continue educating users about Web3 technology risks, as even innocent interactions can lead to significant financial losses. Check Point Research emphasized the importance of user awareness and improved app store security measures to prevent similar incidents.

Google has not responded to requests for comment regarding the incident.

Disclaimer: Backdoor provides informational content only, it is not offered or intended to be used as legal, tax, investment, financial, or other advice. Investments in digital assets involve risk, and past performance does not guarantee future results. We recommend conducting your own research before making any investment decisions.