Friday, December 6, 2024
Homecyber securityMalicious App On Google Play Steals Cryptocurrency From Android Users

Malicious App On Google Play Steals Cryptocurrency From Android Users

Published on

SIEM as a Service

Cybercriminals have shifted their focus to mobile devices, targeting users with a malicious crypto drainer app disguised as the legitimate WalletConnect protocol, which remained undetected for over five months and was downloaded 10,000 times, exploited the name of the well-known Web3 protocol to deceive users.

Despite its removal from Google Play, the app victimized over 150 users, resulting in losses exceeding $70,000. This highlights the increasing sophistication of cyberattacks targeting cryptocurrency users and the importance of vigilance in protecting digital assets, Check Point uncovered.

Malicious WalletConnect application in Google Play.

WalletConnect, a bridge between dApps and crypto wallets, can be exploited through user confusion. Outdated wallets or unsupported connections might make WalletConnect appear as a separate wallet app.

- Advertisement - SIEM as a Service

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Attackers leverage this by placing a fake “WalletConnect” app with positive fake reviews at the top of app store searches. Users who are tricked into downloading this app expose their crypto assets to theft.

WalletConnect workflow for connecting to a Web3 application

A malicious app disguised as a calculator was found on Google Play, which exploited Median[.]co’s service to create a web wrapper app.

The app initially displayed a harmless calculator but redirected users based on IP and User-Agent, where the redirection bypassed Google Play’s review and targeted mobile users with a fake Web3Inbox interface.

The core malicious script, obfuscated with anti-debugging techniques, resided on an external server and interacted with the user’s wallet through this fake interface, which made it difficult to detect since the app itself didn’t require special permissions.

Anti-debug techniques implemented in the obfuscator.

MS Drainer is crypto wallet drainer malware sold for $1500 that targets a wide range of EVM blockchains. Disguised as a WalletConnect app, it steals victims’ crypto assets by tricking them into signing transactions.

The malware first establishes communication with a C&C server using a proprietary encryption algorithm and then retrieves the victim’s wallet address and network and checks for valuable assets.

To steal ERC-20/BEP-20 tokens, it exploits the “Approve” and “TransferFrom” functionalities: the user approves an infinite token transfer for a malicious address, allowing the attacker to drain the wallet later.

The stolen assets are sent to a secure attacker-controlled address.

ERC-20 token “approve” transaction.

By analyzing stolen fund transactions on the blockchain, researchers identified over 150 victim addresses associated with a malicious application, while the attackers accumulated over $70,000 in stolen assets.

Despite the large number of victims, only 20 reported the scam through negative reviews.

The researchers at Check Point also discovered a previous attempt using a similar app named “WC Calculator,” which employed the same deceptive tactics and garnered over 5,000 downloads.

Funds accumulated in the attackers’ wallets

The malicious app exploited WalletConnect’s reputation to deceive users into installing it from Google Play.

The attackers successfully drained cryptocurrency from over 150 victims by leveraging social engineering and technical manipulation.

It employed redirects and user-agent checking to evade detection, making it difficult to identify and remove, which underscores the need for increased vigilance and stronger verification processes to protect users from such sophisticated cyberattacks in the decentralized finance landscape.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...