Cybersecurity researchers have discovered a malicious Android app on the Google Play Store that enabled the threat actors behind it to steal approximately $70,000 in cryptocurrency from victims over a period of nearly five months.
The dodgy app, identified by Check Point, masqueraded as the legitimate WalletConnect open-source protocol to trick unsuspecting users into downloading it.
“Fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results,” the cybersecurity company said in an analysis, adding it’s the first time a cryptocurrency drainer has exclusively targeted mobile device users.
Over 150 users are estimated to have fallen victim to the scam, although it’s believed that not all users who downloaded the app were impacted by the cryptocurrency drainer.
The campaign involved distributing a deceptive app that went by several names such as “Mestox Calculator,” “WalletConnect – DeFi & NFTs,” and “WalletConnect – Airdrop Wallet” (co.median.android.rxqnqb).
While the app is no longer available for download from the official app marketplace, data from SensorTower shows that it was popular in Nigeria, Portugal, and Ukraine, and linked to a developer named UNS LIS.
The developer has also been associated with another Android app called “Uniswap DeFI” (com.lis.uniswapconverter) that remained active on the Play Store for about a month between May and June 2023. It’s currently not known if the app had any malicious functionality.
However, both apps can be downloaded from third-party app store sources, once again highlighting the risks posed by downloading APK files from other marketplaces.
Once installed, the fake WallConnect app is designed to redirect users to a bogus website based on their IP address and User-Agent string, and if so, redirect them a second time to another site that mimics Web3Inbox.
Users who don’t meet the required criteria, including those who visit the URL from a desktop web browser, are taken to a legitimate website to evade detection, effectively allowing the threat actors to bypass the app review process in the Play Store.
Besides taking steps to prevent analysis and debugging, the core component of the malware is a cryptocurrency drainer known as MS Drainer, which prompts users to connect their wallet and sign several transactions to verify their wallet.
The information entered by the victim in each step is transmitted to a command-and-control server (cakeserver[.]online) that, in turn, sends back a response containing instructions to trigger malicious transactions on the device and transfer the funds to a wallet address belonging to the attackers.
“Similar to the theft of native cryptocurrency, the malicious app first tricks the user into signing a transaction in their wallet,” Check Point researchers said.
“Through this transaction, the victim grants permission for the attacker’s address 0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF (the ‘Address’ field in the configuration) to transfer the maximum amount of the specified asset (if allowed by its smart contract).”
In the next step, the tokens from the victim’s wallet are transferred to a different wallet (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1) controlled by the attackers.
This also means that if the victim does not revoke the permission to withdraw tokens from their wallet, the attackers can keep withdrawing the digital assets as soon as they appear without requiring any further action.
Check Point said it also identified another malicious app exhibiting similar features “Walletconnect | Web3Inbox” (co.median.android.kaebpq) that was previously available on Google Play Store in February 2024. It attracted more than 5,000 downloads.
“This incident highlights the growing sophistication of cybercriminal tactics, particularly in the realm of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets,” the company noted.
“The malicious app did not rely on traditional attack vectors like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were tricked into using the app.”
