Fake WalletConnect App Drains $70K in Crypto from Google Play

The Check Point Research (CPR) team has uncovered a malicious crypto-drainer application on Google Play, designed to steal cryptocurrency. This marks the first time a drainer has specifically targeted mobile devices. The application employed evasion techniques and remained on the store for nearly five months before being removed.

The app, named “WalletConnect – Crypto Wallet”, disguised itself as a tool for interacting with Web3 and used the name of the popular WalletConnect protocol, which connects crypto wallets to decentralized applications. Fake reviews and a recognizable brand helped it garner over 10,000 downloads, and it even appeared at the top of Google Play search results.

By leveraging social engineering and modern crypto-draining tools, the attackers managed to steal approximately $70,000 in cryptocurrency from around 150 victims.

A crypto-drainer is a malicious tool designed to steal digital assets, including NFTs and tokens from crypto wallets. It employs phishing tactics and smart contracts to exfiltrate funds. Users are often redirected to fake websites resembling legitimate platforms, where they are prompted to sign fraudulent transactions. Once the user confirms such a transaction, their assets are automatically transferred to the attackers’ accounts.

WalletConnect is an open-source protocol that facilitates secure communication between decentralized applications (dApps) and crypto wallets. However, certain issues with connecting to WalletConnect confuse users, which was exploited by the scammers. These difficulties arise because not all wallets support WalletConnect, and its incompatibility with outdated wallet versions only exacerbates the problem.

The app was developed using the median.co service, which allows a website to be converted into a mobile app. Essentially, it functioned as a browser opening a specific site. When loaded in the browser, users were presented with a simple tool called “Mestox Calculator,” which helped the app evade Google Play’s security checks.

However, the app secretly operated maliciously, redirecting users to the connectprotocol[.]app/gate/index.php resource. Under the guise of wallet verification, users were prompted to sign transactions, after which their assets were automatically transferred to the attackers’ accounts.

The MS Drainer tool used in the app supports multiple blockchains, including Ethereum, BNB Smart Chain, and Polygon, and swiftly locates victims’ assets.

To protect themselves from such threats, users must thoroughly vet apps before downloading them, and app stores should enhance their vetting procedures. Educational initiatives within the crypto community also play a pivotal role in raising awareness of the risks associated with Web3 technologies.