Crypto Users Targeted by Malicious Android App
In a troubling development for cryptocurrency enthusiasts, a fraudulent Android application masquerading as “WalletConnect” has emerged, successfully siphoning over ,000 from approximately 150 unsuspecting users. This alarming revelation comes from cybersecurity experts at Check Point, who have been monitoring the situation closely.
The app initially surfaced in March under the guise of “Mestox Calculator” and has since undergone several name changes, including the deceptive “WalletConnect – Crypto Wallet.” Another related malicious listing appeared in February, branded as “Walletconnect | Web3Inbox.” Check Point’s investigation suggests that the creators of the “WalletConnect – Crypto Wallet” app may have artificially inflated its reputation by generating generic five-star reviews that fail to address the app’s actual features. However, the app also attracted over 20 reviews labeling it a scam, with one user reporting a loss of 5 in Tether’s stablecoin after connecting their crypto wallet.
Although the app has been removed from the Google Play Store, users who have it installed are urged to delete it immediately. Once downloaded, the app operates as a web browser that leads users to a calculator site, serving as a ruse to avoid detection. If a user’s IP address aligns with specific criteria, they are redirected to a malicious site; otherwise, they remain on the innocuous-looking calculator page.
While the calculator site itself is not flagged as malicious by free link checkers like NordVPN, the secondary site to which users are redirected has raised red flags. According to NordVPN, this site is suspicious and likely harbors malware or unwanted applications. Check Point corroborates this assessment, noting that the malicious code can function outside the app, allowing it to evade detection and rendering the app merely a “thin client” for the crypto drainer.
The underlying malicious tool, known as MS Drainer, operates as a malware-as-a-service specifically targeting crypto wallets to pilfer victims’ funds. Check Point reports that licensing this drainer costs attackers approximately ,500, and the developers have embedded a 10% commission on stolen assets into the malicious blockchain smart contract. The complexity of crypto wallets, often lacking user-friendliness, makes it easier for scammers to mislead users and execute their schemes.
In the crypto landscape, users frequently encounter the need to “sign” messages with their wallets to connect to various platforms, even when no funds are being transferred. This tactic allows scammers to disguise their actions as harmless. The fraudulent app first assesses the user’s crypto holdings, targeting the most valuable assets before moving on to less valuable tokens. The inherent ambiguity of crypto transactions can further obscure the intentions behind each signature request, complicating matters for those without a background in blockchain technology.
Previously, the MS Drainer has been implicated in draining over million through phishing ads on platforms like Google and X/Twitter. The latter has been particularly notorious for hosting numerous crypto scam advertisements, often propagated by hacked verified user accounts.
Impersonation of WalletConnect is not a new phenomenon; the genuine WalletConnect platform issued warnings back in 2021 about fake apps on the Google Play Store. “WalletConnect DOES NOT have an APP,” the platform emphasized, clarifying that it operates as a protocol rather than a standalone application. WalletConnect, developed by the crypto startup Reown, facilitates connections between over 170 different crypto wallets and various applications, including trading platforms, marketplaces, and blockchain games.
As the landscape of cryptocurrency continues to evolve, vigilance remains paramount for users navigating this complex digital realm.
