Cybersecurity researchers recently uncovered a fraudulent Android app on the Google Play Store that allowed perpetrators to steal about $70,000 worth of cryptocurrency from victims over almost five months.
The deceptive app was posing as the legitimate WalletConnect open-source protocol to deceive unsuspecting users into installing it.
What made this app successful was its fake reviews and consistent branding, helping it amass over 10,000 downloads by ranking high in search results, as stated by the cybersecurity company in an analysis. This incident marks the first time a cryptocurrency drainer has specifically targeted mobile users.
Although around 150 users fell victim to the scam, not all who downloaded the app were affected by the cryptocurrency theft.
The scheme involved disseminating a deceptive app under various aliases such as “Mestox Calculator,” “WalletConnect – DeFi & NFTs,” and “WalletConnect – Airdrop Wallet” (co.median.android.rxqnqb).
While the app is no longer available on the official app marketplace, data indicates it was popular in several countries like Nigeria, Portugal, and Ukraine and linked to a developer named UNS LIS.
This developer has also been associated with another Android app called “Uniswap DeFI” (com.lis.uniswapconverter), which was active on the Play Store for a month between May and June 2023. It’s currently unclear if this app had any malicious intent.
Both apps can still be downloaded from third-party app stores, underscoring the risk of downloading APK files from unofficial sources.
Once installed, the fake WalletConnect app redirects users to a fake website based on their IP address and User-Agent string, aiming to trick them into signing transactions to drain their cryptocurrency.
If users don’t meet the criteria, they are redirected to a legitimate site to evade detection, allowing the threat actors to bypass the Play Store review process.
In addition to anti-analysis measures, the malware includes a cryptocurrency drainer called MS Drainer, which requests users to connect their wallet and sign transactions, enabling the theft of digital assets.
User information entered in the app is sent to a command-and-control server (cakeserver[.]online), which then sends instructions to perform illicit transactions and transfer the funds to the attackers’ wallet address.
The attackers can continue withdrawing digital assets from the victim’s wallet if permission to do so is not revoked, allowing them to steal funds without the victim’s intervention.
Check Point also identified another malicious app named “Walletconnect | Web3Inbox” (co.median.android.kaebpq) that was previously available on Google Play Store, garnering over 5,000 downloads in February 2024.
This incident highlights the evolving sophistication of cybercriminal tactics, especially in decentralized finance, where users rely on third-party tools to manage their digital assets. The app subverted traditional attack vectors and employed smart contracts and deep links to silently steal assets from unsuspecting users.
