Fake crypto wallet app on Google Play steals $70K from users

A malicious crypto wallet-draining app, disguised as the WalletConnect protocol, managed to steal over $70,000 from users in five months, according to a report by IT security firm Check Point Research.

The app, available on Google Play, employed "advanced evasion techniques" to bypass detection and exclusively targeted mobile users, marking the first instance of such drainers focusing on this platform.

The fake app was first published on March 21, 2024, under the name “Mestox Calculator.”

It went undetected for months, gathering over 10,000 downloads by manipulating search rankings and posting fake reviews.

The app was able to drain funds from 150 users by prompting them to connect their wallets and grant permissions, similar to how the legitimate WalletConnect app functions.

Once connected, the app’s wallet-draining software, MS Drainer, could access and transfer users’ crypto assets.

Check Point Research explained that the app prioritised stealing higher-value tokens before moving on to cheaper ones.

The attackers used IP-based redirection to deploy the malicious code only to certain users, allowing them to pass Google Play's app review process with a harmless calculator interface.

The fake app has since been removed from the Google Play store, but the incident highlights the increasing sophistication of cybercriminal tactics in the crypto space.

Unlike traditional methods like keylogging, this app relied on smart contracts and deep links to silently drain assets from victims' wallets once they were tricked into using the app.

Check Point Research emphasised the need for stricter app verification processes on platforms like Google Play and urged crypto users to remain cautious when downloading apps.

They also called for continued education within the crypto community to raise awareness of the risks associated with Web3 technologies.

Google has yet to respond to inquiries regarding the incident.