Fraudulent App Targets Web3 Users
In a recent discovery by security researchers at Check Point Research (CPR), a deceptive application named WalletConnect surfaced in the Google Play Store, cleverly designed to mislead web3 users. The name closely resembles that of the legitimate open-source protocol for connecting decentralized applications with blockchains and wallets, effectively creating confusion among potential users. The app’s icon mirrored the authentic WalletConnect logo, further blurring the lines between the real and the counterfeit.
The attackers demonstrated a keen understanding of their target audience, promoting the fraudulent app as a solution to common issues associated with the genuine WalletConnect protocol, particularly its lack of universal support among popular cryptocurrency wallets. Given that the legitimate WalletConnect protocol lacked an official app on the Play Store, the malicious version quickly gained traction, amassing over 10,000 installations.
While it is fortunate that the number of individuals who fell victim to the scam was significantly lower than the installation count, CPR identified over 150 addresses linked to verified transactions, indicating the extent of the deception. Upon installation, users were prompted to connect their cryptocurrency wallets to the app, believing they were engaging with a trustworthy platform.
Once linked, users were led to believe they would gain secure access to various web3 applications. This new iteration of the web, built on blockchain technology, aims to empower its community of users. However, after installing the app, victims were directed to select a new crypto wallet that supposedly supported the WalletConnect protocol. At this juncture, they were asked to authorize multiple transactions, which ultimately redirected them to a malicious website.
This fraudulent site collected sensitive information from victims’ wallets. Utilizing smart contracts, the attackers executed token transfers from the victims’ wallets to their own, often converting more valuable cryptocurrencies into less valuable ones. CPR noted that this incident marks the first time a “crypto drainer” has specifically targeted mobile device users.
Despite the presence of Google Play Protect, which automatically safeguards Android users against known malware, the app remained on the Play Store for five months after its launch in March. During this time, only 20 victims opted to leave negative reviews, allowing the perpetrators to flood the app’s listing with positive feedback, thus overshadowing the complaints. Ultimately, the fraudulent app resulted in approximately ,000 in stolen cryptocurrency before its removal from the Play Store. Users who installed WalletConnect are strongly advised to uninstall it immediately.
