A report by Check Point Research (CPR) uncovered a crypto wallet draining app on the Google Play Store, masquerading as the popular WalletConnect app. CPR found that the app used “advanced evasion techniques” to steal $70,000 (roughly Rs. 58.6 lakh) over five months from unsuspecting users. The malicious app, named “MS Drainer” after an analysis of its JavaScript code, is part of a growing trend of increasingly sophisticated crypto scams. Recent FBI reports also warn that cybercriminals have become more efficient in executing global attacks.
“Check Point Research (CPR) uncovered a malicious app on Google Play Store designed to steal cryptocurrency marking the first time a drainer has targeted mobile device users exclusively. To pose as a legitimate tool for Web3 apps, the attackers exploited the trusted name of the WalletConnect protocol, which connects crypto wallets to decentralised apps,” the report said.
The crypto wallet app, that has now been removed, managed to amass over 10,000 downloads. The fake platform emerged on top of the search on Google Play Store on searching for ‘WalletConnect’ owing to multiple reviews that the CPR report flagged as ‘fake’.
What is WalletConnect
WalletConnect is an open-source protocol that connects decentralised apps (dApps) with crypto wallets through QR codes, allowing users to interact with blockchain-based apps without exposing their private keys.
According to Check Point Research (CPR), a fake app mimicking WalletConnect’s appearance and functions was created using the web service Median.co. The app, initially named “Mestox Calculator,” was published on the Google Play Store on March 21, 2024, with its name changed several times since then.
“An inexperienced user might conclude that it is a separate wallet application that needs to be downloaded and installed. Attackers hijack the confusion, hoping that users will search for a WalletConnect app in the application store,” the report noted.
The X handle of WalletConnect acknowledged the development in a note to its followers.
The WalletConnect Foundation is aware of a recent scam where bad actors developed a malicious app that exploited the WalletConnect name and was available on the Google Play Store. The app has been removed from Google Play Store. The Foundation reminds everyone that there is no…
— WalletConnect (@WalletConnect) September 29, 2024
How Did WalletConnet’s Malicious Dupe Work
Upon download, the fake app quickly prompted users to connect their crypto wallets. When users clicked the wallet buttons, they were redirected to a malicious website via a deep link. To verify their wallets, the website requested users to approve multiple transactions consecutively, unknowingly authorizing fraudulent activity.
“We assume that users install this malicious app to connect their wallet to Web3 applications that do not support direct connections to wallets like MetaMask, Binance Wallet, or Trust Wallet, but only use the WalletConnect protocol. They likely expect the downloaded WalletConnect app to function as a sort of proxy. Therefore, the connection request does not appear suspicious,” the report explained.
The CPR, in its report, said incidents like these highlight the advance nature of techniques that are being used to target the crypto sector, that is presently valued at $2.27 trillion (roughly Rs. 1,90,20,364 crore). The website has strongly suggested users remain vigilant and wary of the applications they download, even when they appear legitimate.
Back in 2023, a Sophos report stated that crypto scammers have been fishing for victims on Android systems using AI tools. Crypto fraudsters were also identified to be exploiting advertisements on Google Search to promote scam websites.
