CPR Exposes Malicious WalletConnect App That Drained Cryptocurrency From Thousands of Users

CPR uncovered a malicious app on Google Play, the official Android app store. The app masqueraded as a legitimate application associated with WalletConnect, a popular Web3 protocol.

Check Point Research (CPR) highlights a concerning trend: the emergence of crypto drainers targeting mobile devices. Attackers seek to capitalize on the increasing use of mobile devices for cryptocurrency transactions.

Fake WalletConnect App

WalletConnect bridges decentralized applications (dApps) and cryptocurrency wallets, enabling users to interact with dApps securely from their mobile devices.

The protocol employs QR codes or deep links to establish communication between the dApp and the wallet, ensuring that sensitive information, such as private keys, is not exposed. Moreover, this functionality has made WalletConnect an integral part of the decentralized finance (DeFi) ecosystem, facilitating seamless and secure transactions.

However, the malicious actors behind the app discovered by CPR exploited the trust associated with WalletConnect to deceive unsuspecting users. Initially published under the guise of a harmless utility called “Mestox Calculator,” the app employed a range of evasion techniques to bypass Google Play’s security checks.

During the app review process, both automated and manual checks would have loaded a benign calculator application, concealing the app’s true malicious nature.

Once installed on a user’s device, the app would redirect them to a malicious website designed to mimic the legitimate WalletConnect platform. Furthermore, this redirection was contingent upon various factors, including the user’s IP address and User-Agent, a string of text that identifies the user’s browser and operating system.

The dynamic redirection technique allows attackers to serve different content to different users, further complicating detection and analysis.

CPR Exposes Malicious Crypto Drainer Tactics

Upon accessing the malicious website, users were presented with a seemingly authentic WalletConnect interface. However, any interaction with this interface would trigger a series of malicious transactions, ultimately draining the user’s cryptocurrency wallet.

The attackers behind this campaign employed social engineering tactics to manipulate users into authorizing these transactions, often by displaying misleading information or creating a sense of urgency.

The malicious WalletConnect app remained undetected on Google Play for over five months, amassing over 10,000 downloads. While not all downloads resulted in financial losses, CPR estimates that over 150 users fell victim to this scam, with total losses exceeding $70,000.

This incident underscores the importance of extreme caution when downloading and installing cryptocurrency-related applications.

Users should only download apps from trusted sources, such as official app stores, and thoroughly review an app’s permissions before granting it access to sensitive information or functionality.

Furthermore, CPR advised users to be wary of unsolicited communications, such as emails or messages, that request personal information or prompt them to click on suspicious links.

Phishing attacks often leverage social engineering techniques to exploit human vulnerabilities, trick users into divulging sensitive information, or perform actions that compromise security.