IT security firm Check Point Research has discovered a cryptocurrency wallet leaker who used “sophisticated evasion techniques” on the Google Play Store to steal more than $70,000 in five months.
This malicious app disguised itself as the WalletConnect protocol, a well-known app in the cryptocurrency space that allows you to link various cryptocurrency wallets to decentralized finance (DeFi) applications.
The company stated this in a blog post on September 26th. post It says it's “the first Drainer to target exclusively mobile users.”
“Fake reviews and consistent branding helped the app rank highly in search results and achieve over 10,000 downloads,” Check Point Research said.
More than 150 users had around $70,000 siphoned off, but not all app users were targeted as some did not connect their wallets or assumed it was a scam. Others “may not meet the malware's specific targeting criteria,” Check Point Research said.
Some of the fake reviews about the spoofed WalletConnect app mentioned features unrelated to cryptocurrencies. Source: Check Point Research
It added that the fake app was launched on Google's app store on March 21 and used “sophisticated evasion techniques” to remain undetected for more than five months. It has now been deleted.
The app was first published under the name “Mestox Calculator” and changed several times while the application URL still pointed to a seemingly innocuous website with a calculator.
“This technique allows attackers to bypass Google Play's app review process, as automatic and manual checks load a 'harmless' calculator application,” the researchers said.
However, depending on the location of the user's IP address and whether they are using a mobile device, they will be redirected to the backend of a malicious app that houses the wallet draining software MS Drainer.
Diagram showing how the fake WalletConnect app worked to drain certain users' funds. Source: Check Point Research
Similar to other wallet exfiltration schemes, the fake WalletConnect app prompted users to connect their wallets, which was not suspicious given how the real app worked.
Users are then asked to accept various permissions to “verify their wallets,” which gives them permission to “transfer a maximum amount of specified assets” to the attacker's address, according to Check Point Research. said.
Related: Polymarket users complain of mysterious Google login wallet attack
“The application captures the value of all assets in the victim's wallet. It first attempts to withdraw expensive tokens, then cheaper ones,” it added.
“This incident highlights the growing sophistication of cybercrime techniques,” Check Point Research wrote. “Malicious apps did not rely on traditional attack vectors like permissions or keylogging. Instead, they used smart contracts and deep links to silently attack users once they were tricked into using the app. assets were leaked.”
It added that users should “be wary of the applications they download, even if they appear legitimate” and that app stores need to improve their verification processes to stop malicious apps. Ta.
“The cryptocurrency community needs to continue educating users about the risks associated with Web3 technology,” the researchers said. “This incident shows that even seemingly innocuous interactions can lead to significant financial losses.”
Google did not immediately respond to a request for comment.
Encryption security: Two auditors miss $27 million Penpie flaw, Pythia 'fee claim' bug
