Cybersecurity researchers at Check Point have uncovered a sophisticated cryptocurrency theft operation masquerading as a legitimate Web3 tool on the Google Play Store. The malicious app, which impersonated the popular WalletConnect protocol, managed to accumulate over 10,000 downloads during its five-month presence on the official Android app marketplace.
The Deceptive Nature of the Fake WalletConnect App
The fraudulent application, operating under the name “WallConnect,” presented itself as a Web3 tool capable of serving as a proxy between cryptocurrency wallets and decentralized applications (dApps). This misrepresentation exploited users’ potential confusion about the genuine WalletConnect project, an open-source crypto bridge protocol with similar functionality but some limitations.
Check Point researchers explained, “Given the complexities surrounding WalletConnect, inexperienced users might conclude that it’s a separate wallet app requiring download and installation. Cybercriminals capitalize on this confusion, anticipating that users will search for a WalletConnect app in app stores.”
Malware Evolution and Distribution Strategy
The malicious app (package name: co.median.android.rxqnqb) first appeared on Google Play in March 2023 under the name “Mestox Calculator,” mimicking an open-source project called CalcDiverse. Subsequently, it underwent multiple name changes and rapidly boosted its ratings through fake user reviews, effectively attracting more attention and potential victims.
Interestingly, the app was created using the median.co service, which converts websites into Android or iOS applications. As a result, WallConnect essentially functioned as a browser opening a specified website.
Sophisticated Theft Mechanism
Upon installation, WallConnect directed users to a malicious site impersonating Web3Inbox. There, victims were prompted to authorize several transactions, leading to the theft of sensitive information about their cryptocurrency wallets and digital assets.
The malware employed geolocation techniques to evade detection. If users were located in certain countries (determined by IP address) or if the HTTP request’s User-Agent didn’t match that of a mobile device, they were redirected to a legitimate resource.
MS Drainer: A Cutting-Edge Crypto Theft Tool
Further analysis of the malware’s code identified it as MS Drainer, one of the most advanced cryptocurrency theft toolkits currently available on the black market. This malware supports a wide range of EVM blockchains, including Ethereum, BNB Smart Chain, Polygon, Avalanche, Arbitrum, Fantom, and Optimism.
MS Drainer’s distinctive features include:
- Advanced asset detection capabilities
- Utilization of reliable providers like DeBank, Ankr, Zapper, and OpenSea for wallet scanning
- Automatic extraction of valuable assets
- Prioritization of higher-value tokens during theft
Impact and Victim Analysis
During its five-month availability on the Google Play Store, the malicious app was downloaded approximately 10,000 times. Check Point analysts report that at least 150 victims fell prey to WallConnect, losing digital assets worth over $70,000 in cryptocurrency. Surprisingly, only 20 users left negative reviews about the app in the Google Play Store.
Researchers suspect that the malware operators may have artificially inflated the app’s download count, given the discrepancy between the number of victims and the reported downloads. As of now, the fake WallConnect app has been removed from the Google Play Store.
This incident serves as a stark reminder of the ongoing threats in the cryptocurrency space. Users must exercise extreme caution when downloading crypto-related apps, even from official app stores. Implementing robust security measures, such as using hardware wallets and thoroughly verifying app authenticity, is crucial in protecting digital assets from increasingly sophisticated cyber threats.
