Over $70,000 Vanished from Crypto Wallets via Deceptive App on Google Play

Malicious App Steals Over $70,000 from Crypto Users: How Did It Happen?

A recent discovery by Check Point Research has sent shockwaves through the cryptocurrency community, revealing a fraudulent app that syphoned more than $70,000 from unsuspecting mobile users over a period of five months.

Disguised as the legitimate WalletConnect protocol, the malicious software managed to bypass Google's security measures, making it one of the most significant threats in the mobile crypto space to date.

X account of the legitimate WalletConnect protocol

How the Fake WalletConnect App Gained Traction

Initially released under the name "Mestox Calculator" on March 21, the fake WalletConnect app utilised a series of deceptive tactics to gain credibility and visibility on the Google Play Store.

Fake WalletConnect app on Google Play Store, featuring a logo resembling that of the legitimate product.

Check Point Research noted that “fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results.”

Fake reviews on Google Play Store

Among the fake and negative reviews, only twenty users reported the app as a scam on Google Play, suggesting many victims may still be uncertain about the loss of their funds.

This manipulation of the app store's review system allowed the malware to thrive despite numerous negative comments from users.

The app's presence in search results was further bolstered by misleading branding that mimicked a trusted name in the crypto space, thereby attracting a wide audience.

Process of the real WalletConnect protocol

What Made the App Difficult to Detect?

The malicious app cleverly employed “advanced evasion techniques” to remain undetected while it executed its nefarious activities.

Once downloaded, the app redirected users based on their IP address and device type.

Those who accessed it from a mobile device were sent to a backend that housed the wallet-draining software known as MS Drainer.

Check Point explained,

“This technique allows attackers to pass the app review process in Google Play, as automated and manual checks will load the ‘harmless’ calculator application.”

The workflow of the fake application

The app's camouflage was so effective that many users were oblivious to its true intentions.

When prompted to connect their wallets, they believed it was a standard procedure aligned with legitimate wallet applications.

Unbeknownst to them, they were granting the app extensive permissions to manipulate their assets.

How Did the Attack Unfold?

Once users linked their wallets, the app required them to accept various permissions under the guise of verifying their accounts.

This crucial step allowed the attacker to execute unauthorised transactions directly from the victims' wallets.

“The application retrieves the value of all assets in the victim’s wallets. It first attempts to withdraw the more expensive tokens, followed by the cheaper ones,” Check Point noted.

The malicious software operated through smart contracts, which facilitated the stealthy transfer of funds to the attackers' addresses.

As one victim described the experience,

“It looked like a normal app, and I thought I was just connecting my wallet like I always do.”

In reality, users unknowingly provided the attackers with the ability to transfer “the maximum amount of the specified asset,” enabling ongoing theft without any further user interaction.

What Are the Implications for Mobile Security?

This incident highlights a pressing issue within the cryptocurrency ecosystem— the increasing sophistication of cybercriminal tactics.

The fake app did not rely on conventional methods such as keylogging or excessive permission requests; instead, it leveraged the technical complexities of decentralised finance to carry out its malicious agenda.

Check Point emphasised the need for users to remain vigilant about the applications they download, stating,

“This incident highlights the growing sophistication of cybercriminal tactics.”

Despite the fraudulent app being removed from the Google Play Store, the damage was significant.

More than 150 users fell victim to the scam, with many losing substantial amounts of cryptocurrency.

Check Point identified token transactions from over 150 addresses across EVM networks, estimating the attackers have accumulated over $70,000 in assets.

Experts in the field are now urging users to educate themselves about the risks associated with Web3 technologies and to exercise caution when interacting with mobile applications related to their digital assets.

How Can Users Protect Themselves?

In light of this alarming incident, cybersecurity experts are calling for improved verification processes on app distribution platforms.

Users must take proactive measures to safeguard their assets, such as verifying the legitimacy of any app before linking their wallets.

Check Point warned,

“The crypto community needs to continue to educate users about the risks associated with Web3 technologies.”

As cryptocurrency continues to evolve, so too do the tactics employed by scammers.

This episode serves as a crucial reminder of the vulnerabilities inherent in mobile applications and the importance of continuous vigilance in the digital asset landscape.