Malicious App Targets Cryptocurrency Users
In a concerning revelation, cybersecurity researchers have uncovered a malicious Android application on the Google Play Store that has reportedly siphoned off around ,000 in cryptocurrency from unsuspecting users over a span of nearly five months. The app, cleverly disguised as the legitimate WalletConnect open-source protocol, was identified by Check Point, a prominent cybersecurity firm.
The app’s success in deceiving users can be attributed to its use of fake reviews and consistent branding, which propelled it to over 10,000 downloads by securing a high ranking in search results. This incident marks a notable first, as it is the first recorded instance of a cryptocurrency drainer specifically targeting mobile device users.
Approximately 150 users are believed to have fallen prey to this scam, although not all who downloaded the app were affected by the cryptocurrency drainer. The malicious app operated under various names, including “Mestox Calculator,” “WalletConnect – DeFi & NFTs,” and “WalletConnect – Airdrop Wallet” (co.median.android.rxqnqb).
While the app has since been removed from the official app marketplace, data from SensorTower indicates its popularity in regions such as Nigeria, Portugal, and Ukraine, with ties to a developer known as UNS LIS. This developer has also been linked to another app, “Uniswap DeFI” (com.lis.uniswapconverter), which was available on the Play Store for a brief period between May and June 2023. The malicious nature of this second app remains uncertain.
Both applications can still be accessed through third-party app stores, underscoring the inherent risks associated with downloading APK files from unofficial sources. Upon installation, the counterfeit WalletConnect app redirects users to a fraudulent website tailored to their IP address and User-Agent string. Users who do not meet specific criteria, such as those accessing the site from a desktop browser, are directed to a legitimate website, effectively evading detection and the app review process on the Play Store.
The core of the malware is a cryptocurrency drainer known as MS Drainer, which prompts users to connect their wallets and authorize several transactions. Each piece of information entered by the victim is sent to a command-and-control server (cakeserver[.]online), which then issues instructions to execute malicious transactions and transfer funds to the attackers’ wallet.
Researchers from Check Point explained, “Similar to the theft of native cryptocurrency, the malicious app first tricks the user into signing a transaction in their wallet.” Through this transaction, victims inadvertently grant permission for the attackers to withdraw the maximum amount of specified assets from their wallets, as permitted by the smart contract.
Subsequently, tokens from the victim’s wallet are transferred to another wallet controlled by the attackers (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1). Alarmingly, if victims do not revoke the permissions granted to the attackers, the latter can continue to withdraw digital assets as they become available without any further action required from the victims.
Check Point has also identified another malicious app, “Walletconnect | Web3Inbox” (co.median.android.kaebpq), which was previously available on the Google Play Store in February 2024 and attracted over 5,000 downloads. This incident serves as a stark reminder of the increasing sophistication of cybercriminal tactics, particularly within the decentralized finance sector, where users often depend on third-party tools and protocols to manage their digital assets.
The malicious app’s approach deviated from traditional attack methods, such as exploiting permissions or keylogging. Instead, it leveraged smart contracts and deep links to stealthily drain assets once users were ensnared into using the app.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
