• Posted by: Michael Johnson
• September 30, 2024

Malicious Android App Steals $70,000 in Cryptocurrency via WalletConnect Scam

Cybersecurity researchers have uncovered a malicious Android app on the Google Play Store, responsible for stealing around $70,000 in cryptocurrency from users over nearly five months.

The app, flagged by Check Point, disguised itself as the legitimate WalletConnect open-source protocol, deceiving users into downloading it.

"Fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results," Check Point's analysis revealed. This marks the first known instance of a cryptocurrency drainer solely targeting mobile users.

The scam is believed to have affected more than 150 users, though not all who downloaded the app fell victim to the attack.

The fraudulent app appeared under various names like "Mestox Calculator," "WalletConnect - DeFi & NFTs," and "WalletConnect - Airdrop Wallet" (co.median.android.rxqnqb). While it has been removed from the Google Play Store, analytics from Sensor Tower show it was particularly popular in Nigeria, Portugal, and Ukraine. It was linked to a developer called UNS LIS, who was also behind another app titled "Uniswap DeFI" (com.lis.uniswapconverter) that briefly remained on the Play Store between May and June 2023. However, it’s unclear if the latter app contained malicious components.

Although no longer available on official platforms, both apps can still be downloaded from third-party sources, underscoring the dangers of downloading APK files from unofficial marketplaces.

Once installed, the fake WalletConnect app redirects users to a fraudulent website based on their IP address and User-Agent information. If conditions are met, they are redirected again to a site impersonating Web3Inbox. Users who fail to meet the criteria—like those visiting from desktop browsers—are directed to a legitimate site, helping the app bypass detection on the Play Store.

The malware's main function is a cryptocurrency drainer named MS Drainer, which prompts users to connect their wallets and sign multiple transactions under the guise of wallet verification.

The victim’s details are sent to a command-and-control server (cakeserver[.]online), which responds with instructions to initiate malicious transactions, transferring funds to an attacker-controlled wallet.

"Similar to the theft of native cryptocurrency, the malicious app first tricks the user into signing a transaction in their wallet," said Check Point's researchers. "Through this transaction, the victim grants permission for the attacker's address 0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF to transfer the maximum amount of the specified asset."

Subsequently, the tokens from the victim's wallet are moved to a different wallet (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1), allowing attackers to continuously drain assets as long as permission to withdraw isn't revoked.

Check Point also uncovered another app, "Walletconnect | Web3Inbox" (co.median.android.kaebpq), with similar traits, previously available on the Play Store in February 2024. It garnered over 5,000 downloads.

"This case underscores the increasing sophistication of cybercriminal methods, especially within decentralized finance, where users often depend on third-party tools and protocols to manage digital assets," the company said. "The malicious app didn't rely on traditional attacks like permissions or keylogging but instead used smart contracts and deep links to silently drain funds once users were duped into interacting with it."