IT security firm Check Point Research has revealed the existence of a crypto wallet drainer that employed “advanced evasion techniques” to operate undetected on the Google Play Store, resulting in the theft of over $70,000 within a five-month period. This malicious application masqueraded as the WalletConnect protocol, a well-known tool in the cryptocurrency space that enables users to link various crypto wallets to decentralized finance (DeFi) applications.
In a blog post dated September 26, Check Point Research described this incident as the first instance where wallet drainers specifically targeted mobile users. The app managed to attract over 10,000 downloads, aided by fake reviews and consistent branding that helped it rank highly in search results.
While more than 150 users fell victim to the scam, losing approximately $70,000, it’s important to note that not every user was affected. Some individuals either chose not to connect a wallet or recognized the application as a scam. Others may not have met the specific targeting criteria set by the malware.
The fake app first appeared on Google’s app store on March 21 and employed advanced evasion techniques that allowed it to remain undetected for over five months before being removed.
App Transformation and Deceptive Practices
Originally published under the name “Mestox Calculator,” the app underwent multiple name changes. Despite these alterations, its application URL continued to point to a seemingly innocuous website that hosted a calculator. This tactic enabled the attackers to circumvent both automated and manual checks by Google Play.
According to researchers, “This technique allows attackers to pass the app review process in Google Play, as automated and manual checks will load the ‘harmless’ calculator application.” However, users’ experience varied depending on their IP address location and whether they were using a mobile device. Those affected were redirected to the malicious app backend that housed the wallet-draining software known as MS Drainer.
Much like other scams designed to drain wallets, the counterfeit WalletConnect app prompted users to connect their wallets. This request seemed legitimate given how the authentic WalletConnect app operates.
Upon connecting, users were asked to accept various permissions to “verify their wallet.” This seemingly harmless request inadvertently granted the attacker permission to transfer the maximum amount of specified assets from the victims’ wallets.
Check Point Research elaborated, stating, “The application retrieves the value of all assets in the victim’s wallets. It first attempts to withdraw the more expensive tokens, followed by the cheaper ones.” This methodical approach highlights the sophistication of the scam and the attackers’ intent to maximize their ill-gotten gains.
Evolving Cybercriminal Tactics
Check Point Research emphasized that this incident underscores the increasing sophistication of cybercriminal tactics. Unlike traditional scams that rely on simple attack vectors like permissions or keylogging, the malicious app utilized smart contracts and deep links to drain assets silently.
“The malicious app did not rely on traditional attack vectors like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were tricked into using the app,” the researchers noted.
This incident serves as a critical reminder for users to remain cautious regarding the applications they download, even when they appear legitimate.
In light of this incident, Check Point Research urged users to be vigilant about the applications they choose to install. The researchers also emphasized the need for app stores to enhance their verification processes to prevent similar malicious apps from appearing in the future.
“The crypto community needs to continue to educate users about the risks associated with Web3 technologies,” they stated. “This case illustrates that even seemingly innocuous interactions can lead to significant financial losses.”
In a digital landscape where threats continue to evolve, the importance of user education and robust security measures cannot be overstated.
The discovery of the crypto wallet drainer on the Google Play Store highlights a significant security vulnerability in mobile applications targeting cryptocurrency users. As cybercriminals become increasingly sophisticated in their tactics, both users and platform providers must remain vigilant in their efforts to protect against such threats.
As the cryptocurrency landscape continues to grow, the responsibility lies with both users and developers to prioritize security. This incident not only sheds light on the risks associated with mobile applications but also calls for a broader conversation about the measures necessary to ensure the safety of users engaging with digital assets.