Cybercriminals have recently shifted their focus to mobile devices, specifically targeting users with a malicious crypto drainer app disguised as the legitimate WalletConnect protocol. This deceptive app managed to remain undetected for over five months and was downloaded by unsuspecting users around 10,000 times. Exploiting the name of the well-known Web3 protocol, the app deceived users into thinking it was a legitimate application.
Despite its subsequent removal from Google Play, the app managed to victimize over 150 users, resulting in financial losses exceeding $70,000. This alarming incident sheds light on the increasing sophistication of cyberattacks targeting cryptocurrency users and highlights the crucial importance of vigilance in protecting digital assets, as uncovered by Check Point researchers.
WalletConnect, known as a bridge between dApps and crypto wallets, became susceptible to exploitation due to user confusion. Outdated wallets or unsupported connections may cause WalletConnect to appear as a standalone wallet app, which perpetrators exploited in this case.
Attackers leveraged this confusion by creating a fake “WalletConnect” app with positive fake reviews, positioning it at the top of app store searches to deceive users into downloading the malicious app. Once downloaded, users inadvertently exposed their crypto assets to possible theft.
Further investigation revealed a malicious app disguised as a calculator on Google Play, which utilized Median[.]co’s service to create a web wrapper app. Initially displaying a basic calculator, the app would redirect users based on IP and User-Agent, bypassing Google Play’s review system to target mobile users with a fake Web3Inbox interface.
The core malicious script, obfuscated with anti-debugging techniques, was hosted on an external server and interacted with the user’s wallet through the fake interface. This method of operation made detection challenging since the app did not require special permissions.
The researchers at Check Point also discovered the existence of the MS Drainer, a crypto wallet drainer malware available for purchase at $1500. This malicious software, disguised as a WalletConnect app, aims to pilfer victims’ crypto assets by deceiving them into signing unauthorized transactions.
The malware establishes communication with a Command and Control (C&C) server using a proprietary encryption algorithm, retrieves the victim’s wallet address and network details, and checks for valuable assets. Once identified, the malware exploits the “Approve” and “TransferFrom” functionalities to authorize unlimited token transfers to a malicious address, enabling the attacker to drain the victim’s wallet at a later point.
Through an analysis of stolen fund transactions on the blockchain, researchers identified over 150 victim addresses associated with the malicious application, culminating in the accumulation of over $70,000 in stolen assets by the attackers. Despite the significant number of victims affected, only 20 individuals reported the scam through negative reviews.
The perpetrators behind this malicious app successfully deceived users into installing it from Google Play by capitalizing on WalletConnect’s reputable name. By leveraging social engineering tactics and technical manipulations such as redirects and user-agent verification, the attackers managed to drain cryptocurrency from numerous victims. This incident emphasizes the critical need for enhanced vigilance and robust verification procedures to safeguard users from sophisticated cyberattacks within the decentralized finance landscape.