Check Point Research recently uncovered a crypto wallet drainer on the Google Play store that used “advanced evasion techniques” to steal over $70,000 within five months. The malicious app disguised itself as the WalletConnect protocol, a legitimate app in the crypto space used for linking wallets to decentralized finance (DeFi) applications.
In a blog post dated Sept 26, the company highlighted this as the first instance where drainers specifically targeted mobile users. The fraudulent app, aided by fake reviews and strategic branding, managed to get over 10,000 downloads, ranking high in search results. While over 150 users lost around $70,000, not everyone who downloaded the app was affected—some users did not connect a wallet, while others were not targeted by the malware.
The app first appeared on Google Play on March 21 under the name “Mestox Calculator” and underwent multiple changes while maintaining a front of a harmless calculator. This allowed the app to pass Google’s review checks, both automated and manual. Once installed, users connecting their wallets were redirected to a back-end server containing malicious software, MS Drainer, which silently drained assets from the users’ crypto wallets.
Similar to other wallet-draining schemes, the fake WalletConnect app asked users to connect their wallets and grant permissions, allowing attackers to transfer the maximum possible value from those wallets. The app prioritized withdrawing higher-value tokens first, followed by smaller assets.
Check Point Research emphasized that this incident reflects the increasing sophistication of cybercriminal tactics. Instead of relying on common attacks like keylogging, this malware used smart contracts and deep links to execute its theft quietly.
The researchers urged users to be cautious when downloading apps, even those that appear legitimate. They also called on app stores to enhance their verification processes to prevent such malicious apps from being listed. Lastly, they stressed the importance of educating the crypto community about the risks associated with Web3 technologies to help prevent similar incidents.
Leave a Reply