Cyber Security News

Malicious App On Google Play Steals Cryptocurrency From Android Users

Cybercriminals have shifted their focus to mobile devices, targeting users with a malicious crypto drainer app disguised as the legitimate WalletConnect protocol, which remained undetected for over five months and was downloaded 10,000 times, exploited the name of the well-known Web3 protocol to deceive users.

Despite its removal from Google Play, the app victimized over 150 users, resulting in losses exceeding $70,000. This highlights the increasing sophistication of cyberattacks targeting cryptocurrency users and the importance of vigilance in protecting digital assets, Check Point uncovered.

Malicious WalletConnect application in Google Play.

WalletConnect, a bridge between dApps and crypto wallets, can be exploited through user confusion. Outdated wallets or unsupported connections might make WalletConnect appear as a separate wallet app.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Attackers leverage this by placing a fake “WalletConnect” app with positive fake reviews at the top of app store searches. Users who are tricked into downloading this app expose their crypto assets to theft.

WalletConnect workflow for connecting to a Web3 application

A malicious app disguised as a calculator was found on Google Play, which exploited Median[.]co’s service to create a web wrapper app.

The app initially displayed a harmless calculator but redirected users based on IP and User-Agent, where the redirection bypassed Google Play’s review and targeted mobile users with a fake Web3Inbox interface.

The core malicious script, obfuscated with anti-debugging techniques, resided on an external server and interacted with the user’s wallet through this fake interface, which made it difficult to detect since the app itself didn’t require special permissions.

Anti-debug techniques implemented in the obfuscator.

MS Drainer is crypto wallet drainer malware sold for $1500 that targets a wide range of EVM blockchains. Disguised as a WalletConnect app, it steals victims’ crypto assets by tricking them into signing transactions.

The malware first establishes communication with a C&C server using a proprietary encryption algorithm and then retrieves the victim’s wallet address and network and checks for valuable assets.

To steal ERC-20/BEP-20 tokens, it exploits the “Approve” and “TransferFrom” functionalities: the user approves an infinite token transfer for a malicious address, allowing the attacker to drain the wallet later.

The stolen assets are sent to a secure attacker-controlled address.

ERC-20 token “approve” transaction.

By analyzing stolen fund transactions on the blockchain, researchers identified over 150 victim addresses associated with a malicious application, while the attackers accumulated over $70,000 in stolen assets.

Despite the large number of victims, only 20 reported the scam through negative reviews.

The researchers at Check Point also discovered a previous attempt using a similar app named “WC Calculator,” which employed the same deceptive tactics and garnered over 5,000 downloads.

Funds accumulated in the attackers’ wallets

The malicious app exploited WalletConnect’s reputation to deceive users into installing it from Google Play.

The attackers successfully drained cryptocurrency from over 150 victims by leveraging social engineering and technical manipulation.

It employed redirects and user-agent checking to evade detection, making it difficult to identify and remove, which underscores the need for increased vigilance and stronger verification processes to protect users from such sophisticated cyberattacks in the decentralized finance landscape.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free

Aman Mishra

Recent Posts

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center (GSOC)…

10 hours ago

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and destructive…

10 hours ago

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence Information…

10 hours ago

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the start…

10 hours ago

Hackers Deploy Weaponized LNK Files for Malicious Payload Delivery

Researchers reported a phishing attack on December 4th, 2024, where malicious emails purportedly from the…

10 hours ago

APT-C-60 Hackers Penetrate Org’s Network Using a Weapanized Google Drive link

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed an advanced cyber attack…

12 hours ago