Malicious App On Google Play Steals Cryptocurrency From Android Users

Cybercriminals have shifted their focus to mobile devices, targeting users with a malicious crypto drainer app disguised as the legitimate WalletConnect protocol, which remained undetected for over five months and was downloaded 10,000 times, exploited the name of the well-known Web3 protocol to deceive users.

Despite its removal from Google Play, the app victimized over 150 users, resulting in losses exceeding $70,000. This highlights the increasing sophistication of cyberattacks targeting cryptocurrency users and the importance of vigilance in protecting digital assets, Check Point uncovered.

WalletConnect, a bridge between dApps and crypto wallets, can be exploited through user confusion. Outdated wallets or unsupported connections might make WalletConnect appear as a separate wallet app.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Attackers leverage this by placing a fake “WalletConnect” app with positive fake reviews at the top of app store searches. Users who are tricked into downloading this app expose their crypto assets to theft.

A malicious app disguised as a calculator was found on Google Play, which exploited Median[.]co’s service to create a web wrapper app.

The app initially displayed a harmless calculator but redirected users based on IP and User-Agent, where the redirection bypassed Google Play’s review and targeted mobile users with a fake Web3Inbox interface.

The core malicious script, obfuscated with anti-debugging techniques, resided on an external server and interacted with the user’s wallet through this fake interface, which made it difficult to detect since the app itself didn’t require special permissions.

MS Drainer is crypto wallet drainer malware sold for $1500 that targets a wide range of EVM blockchains. Disguised as a WalletConnect app, it steals victims’ crypto assets by tricking them into signing transactions.

The malware first establishes communication with a C&C server using a proprietary encryption algorithm and then retrieves the victim’s wallet address and network and checks for valuable assets.

To steal ERC-20/BEP-20 tokens, it exploits the “Approve” and “TransferFrom” functionalities: the user approves an infinite token transfer for a malicious address, allowing the attacker to drain the wallet later.

The stolen assets are sent to a secure attacker-controlled address.

By analyzing stolen fund transactions on the blockchain, researchers identified over 150 victim addresses associated with a malicious application, while the attackers accumulated over $70,000 in stolen assets.

Despite the large number of victims, only 20 reported the scam through negative reviews.

The researchers at Check Point also discovered a previous attempt using a similar app named “WC Calculator,” which employed the same deceptive tactics and garnered over 5,000 downloads.

The malicious app exploited WalletConnect’s reputation to deceive users into installing it from Google Play.

The attackers successfully drained cryptocurrency from over 150 victims by leveraging social engineering and technical manipulation.

It employed redirects and user-agent checking to evade detection, making it difficult to identify and remove, which underscores the need for increased vigilance and stronger verification processes to protect users from such sophisticated cyberattacks in the decentralized finance landscape.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free