Victims lose $70K to one single wallet-draining app on Google's Play Store

Attackers got 10K people to download 'trusted' web3 brand cheat before Mountain View intervened

The latest in a long line of cryptocurrency wallet-draining attacks has stolen $70,000 from people who downloaded a dodgy app in a single campaign researchers describe as a world-first.

A fraudulent app targeted web3 users on Google's Play Store, piggybacking on the name and reputation of the legitimate WalletConnect protocol, which is used for connecting decentralized applications and wallets. It also doesn't have an official app on the Play Store.

Of the total 150 or so victims of the app, CPR noted that only 20 bothered to leave a negative review on the Play Store...

Investigators at Check Point Research (CPR) said the app, which is called WalletConnect and used the open source project's official logo in the app tile image, is the first drainer of its kind to target mobile users exclusively.

We can help you

The attackers behind the app clearly knew their market well. They understood that common issues encountered by those who use the real WalletConnect protocol include version compatibility and the lack of universal support for the protocol by commonly used wallets. 

The fraudulent app marketed itself as an easy solution to these problems, CPR said, and without an official app on the Play Store, combined with the flurry of fake reviews speaking to its effectiveness, it was poised to fool a fair few users. More than 10,000 of them, in fact.

That's not to say each of those downloads led to them being victimized. Far from it, in reality. CPR verified transactions linked to more than 150 addresses, suggesting that was the number of individuals who had their wallets raided.

Once the app was downloaded, victims were prompted to link their wallets filled with cryptocurrencies, under the assumption that it was trustworthy and would allow smoother, secure access to supported web3 applications.

Infographic representation of the attack chain - courtesy of Check Point Research

Infographic representation of the attack chain - courtesy of Check Point Research - Click to enlarge

They were then instructed to authorize various transactions after selecting their wallet. Selecting the wallet triggered the app to direct the victim to a malicious website that would capture details about the wallet itself, the blockchain, and known addresses. 

Exploiting the mechanics of smart contracts allowed the attackers to authorize transfers of tokens from the victim's wallet into their own prioritizing the transfer of more valuable cryptocurrency tokens over the less valuable kinds.

Of the total 150 or so victims of the app, CPR noted that only 20 bothered to leave a negative review on the Play Store – apathy that allowed the miscreants behind it the chance to post ample fake positive reviews, drowning out the victims' voices.

Launched in March, the app's true purpose wasn't detected by the powers that be until five months later, at which point it was promptly removed from the Play Store.

Alexander Chailytko, cybersecurity, research, and innovation manager at CPR, said: "This incident is a wake-up call for the entire digital asset community as the emergence of the first mobile crypto drainer app on Google Play marks a significant escalation in the tactics used by cybercriminals and the rapidly evolving landscape of cyber threats in decentralized finance. 

"This research highlights the critical need for advanced, AI-driven security solutions that can detect and prevent such sophisticated threats. It's essential that both users and developers stay informed and take proactive measures to secure their digital assets."

Despite Google claiming to have a rigorous vetting process before apps become available to Android users, we still regularly hear about naughty ones making their way onto devices.

The ability to side-load apps onto Android phones plays a big role in this though.

Just this week, in fact, Kaspersky exposed a campaign that saw 11 million Android users, by its estimations, download applications secretly loaded with Necro malware which stole money from users via phony subscription charges.

Responding to the findings, a Google spokesperson said: "All of the malicious versions of the apps identified by this report were removed from Google Play prior to report publication. 

"Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play." ®

More about

TIP US OFF

Send us news


Other stories you might like