A report by Check Point Research (CPR) has uncovered a crypto wallet draining app on the Google Play Store, masquerading as the popular WalletConnect app. CPR found that the app used “advanced evasion techniques” to steal $70,000 (roughly Rs. 58.6 lakh) over five months from unsuspecting users. The malicious app, named “MS Drainer” after analyzing its JavaScript code, is part of a growing trend of increasingly sophisticated crypto scams. Recent FBI reports also warn that cybercriminals have become more efficient at carrying out global attacks.
“Check Point Research (CPR) has discovered a malicious app in the Google Play Store designed to steal cryptocurrency, marking the first time a drainer has exclusively targeted mobile users. To pose as a legitimate Web3 application tool, the attackers exploited the trusted name of the WalletConnect protocol, which connects crypto wallets to decentralized applications,” the report said.
The crypto wallet app, which has now been taken down, managed to garner more than 10,000 downloads. The fake platform appeared at the top of Google Play Store searches for ‘WalletConnect’ thanks to multiple reviews that were flagged as ‘fake’ by the CPR report.
What is WalletConnect
WalletConnect is an open source protocol that connects decentralized applications (dApps) to crypto wallets via QR codes, allowing users to interact with blockchain-based applications without exposing their private keys.
According to Check Point Research (CPR), a fake app that mimics the look and feel of WalletConnect was created using the Median.co web service. The app, originally called “Mestox Calculator”, was released on the Google Play Store on March 21, 2024, and has changed names several times since then.
“An inexperienced user might conclude that this is a separate wallet application that needs to be downloaded and installed. Attackers are hijacking the confusion, hoping users will search for the WalletConnect app in the app store,” the report said.
WalletConnect’s handle X confirmed the development in a note to its followers.
The WalletConnect Foundation is aware of a recent scam in which malicious actors developed a malicious app exploiting the WalletConnect name and made it available on the Google Play Store. The app has been removed from the Google Play store. The foundation reminds everyone that there is no…
— WalletConnect (@WalletConnect) September 29, 2024
How the malicious WalletConnet scam worked
Once downloaded, the fake app quickly prompted users to link their crypto wallets. When users clicked on the wallet buttons, they were redirected to a malicious website via a deep link. To verify their wallets, the site asked users to approve multiple transactions in a row, unwittingly authorizing fraudulent activity.
“We assume that users install this malicious application to connect their wallet to Web3 applications that do not support direct wallet connections such as MetaMask, Binance Wallet or Trust Wallet, but only use the WalletConnect protocol. They probably expect the downloaded WalletConnect app to function as some sort of proxy. Therefore, the link request does not appear suspicious,” the report explained.
CPR said in its report that incidents like these highlight the advanced nature of the techniques used to target the crypto sector, which is currently valued at $2.27 trillion (roughly Rs. 1,90,20,364 crore). The website strongly suggests users to remain alert and cautious with the apps they download, even when they appear legitimate.
As far back as 2023, a Sophos report stated that crypto fraudsters were preying on victims on Android systems using AI tools. Crypto scammers have also been found to exploit Google search ads to promote scam websites.
