Crypto Wallet Drainer App Identified in Google Play Store: Report

A report from Check Point Research (CPR) revealed a crypto wallet-emptying app on the Google Play Store, masquerading as the popular WalletConnect app. CPR found that the app used “sophisticated evasion techniques” to steal $70,000 (approximately Rs. 58.6 lakh) from unsuspecting users over five months. The malicious app, named “MS Drainer” after an analysis of the JavaScript code, is part of a growing trend of increasingly sophisticated crypto scams. Recent FBI reports also warn that cybercriminals have become more efficient at carrying out global attacks.

“Check Point Research (CPR) has discovered a malicious app in the Google Play Store designed to steal cryptocurrency, marking the first time a dish drainer has targeted exclusively mobile device users. To pose as a legitimate tool for Web3 apps, the attackers misused the trusted name of the WalletConnect protocol, which connects crypto wallets to decentralized apps. report said.

The crypto wallet app, which has now been removed, managed to rack up more than 10,000 downloads. The fake platform came up at the top of the Google Play Store search when searching for ‘WalletConnect’ due to multiple reviews flagged as ‘fake’ in the CPR report.

What is WalletConnect

WalletConnect is an open-source protocol that connects decentralized apps (dApps) to crypto wallets via QR codes, allowing users to interact with blockchain-based apps without revealing their private keys.

According to Check Point Research (CPR), a fake app was created that mimics the look and feel of WalletConnect using the web service Median.co. The app, initially called “Mestox Calculator”, was published on the Google Play Store on March 21, 2024, and the name has been changed several times since then.

“An inexperienced user might conclude that it is a separate wallet application that needs to be downloaded and installed. Attackers are hijacking the confusion, hoping that users will search the application store for a WalletConnect app,” the report said.

WalletConnect’s X-handle acknowledged the development in a note to its followers.

How did WalletConnet’s malicious dupe work?

Once downloaded, the fake app quickly asked users to connect their crypto wallets. When users clicked on the wallet buttons, they were redirected to a malicious website via a deep link. To verify their wallets, the website asked users to approve multiple transactions in a row, unknowingly approving fraudulent activity.

“We assume that users install this malicious app to connect their wallets to Web3 applications that do not support direct connections to wallets such as MetaMask, Binance Wallet or Trust Wallet, but only use the WalletConnect protocol. They probably expect the downloaded WalletConnect app to function as some kind of proxy. Therefore, the connection request does not appear suspicious,” the report said.

The CPR said in its report that incidents like this highlight the progressive nature of techniques used to target the crypto sector, which is currently valued at $2.27 trillion (approximately Rs. 1,90,20,364 crore). The website has strongly advised users to remain vigilant and wary of the applications they download, even if they appear legitimate.

In 2023, a Sophos report stated that crypto scammers have been fishing for victims on Android systems using AI tools. It was also found that crypto fraudsters were abusing ads on Google Search to promote scam websites.