According to Cointelegraph, IT security firm Check Point Research has identified a crypto wallet drainer app that used advanced evasion techniques on the Google Play store, resulting in the theft of over $70,000 in five months. The malicious app masqueraded as the WalletConnect protocol, a well-known application in the crypto space that connects various crypto wallets to decentralized finance (DeFi) applications.
In a blog post dated September 26, Check Point Research noted that this incident marks the first time drainers have exclusively targeted mobile users. The app achieved over 10,000 downloads by ranking high in search results, aided by fake reviews and consistent branding. However, not all users were targeted; some did not connect a wallet or recognized the scam, while others may not have met the malware’s specific targeting criteria.
The fake app was available on Google’s app store from March 21 and remained undetected for over five months due to its advanced evasion techniques. Initially published under the name “Mestox Calculator,” the app’s name changed several times, but its application URL continued to point to a seemingly harmless website with a calculator. This tactic allowed the app to pass Google Play’s review process, as automated and manual checks would load the harmless calculator application. Depending on the user’s IP address location and device type, they were redirected to the malicious app back-end housing the wallet-draining software MS Drainer.
The spoofed WalletConnect app prompted users to connect a wallet, a request that would not have seemed suspicious given the real app’s functionality. Users were then asked to accept various permissions to “verify their wallet,” which granted the attacker’s address permission to transfer the maximum amount of the specified asset. The application retrieved the value of all assets in the victim’s wallets, attempting to withdraw the more expensive tokens first, followed by the cheaper ones.
Check Point Research emphasized the growing sophistication of cybercriminal tactics, noting that the malicious app did not rely on traditional attack vectors like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were tricked into using the app. The researchers urged users to be cautious about the applications they download, even if they appear legitimate, and called for app stores to improve their verification processes to prevent malicious apps. They also stressed the importance of educating the crypto community about the risks associated with Web3 technologies, as even seemingly innocuous interactions can lead to significant financial losses.
Google did not immediately respond to a request for comment.