In a stunning breach of security, IT firm Check Point Research has uncovered a sophisticated crypto wallet drainer that flew under the radar on the Google Play Store for over five months, stealing more than $70,000 from unsuspecting users. Here's how this happened and why it’s a major wake-up call for mobile crypto users.
The Disguised Threat
The malicious app posed as WalletConnect, a legitimate and widely-used protocol in the crypto space that links wallets to decentralized finance (DeFi) apps. It even managed to evade detection by using advanced evasion techniques—marking the first instance of drainers specifically targeting mobile users.
How It Happened:
Fake reviews and branding helped the app climb the ranks on Google Play, securing over 10,000 downloads.
While some users weren’t affected (those who didn’t connect a wallet or spotted the scam), more than 150 victims lost approximately $70K in assets.
The attackers used a series of fake features and irrelevant reviews to build trust and distract users.
The app, which first appeared on March 21 under the innocuous name “Mestox Calculator,” underwent multiple name changes to avoid detection. All the while, its URL continued to point to a harmless calculator, helping it pass both automated and manual checks by Google Play.
The Devious Tactics:
The malicious app secretly targeted users based on their IP location and device type. If a user fit the attackers’ criteria, they were redirected to a back-end containing the wallet-draining software known as MS Drainer.
Here’s how the scam worked:
1. The faked WalletConnect app asked users to connect their crypto wallet, mimicking legitimate behavior.
2. Users were then prompted to accept permissions to “verify their wallet,” which in reality gave the scammer control to transfer the maximum amount of assets.
3. The app would scan the victim's wallet, withdrawing the most valuable tokens first.
A New Level of Sophistication
What sets this attack apart is its complexity. It didn’t rely on common tactics like keylogging or suspicious permissions. Instead, it leveraged smart contracts and deep links to silently drain users' funds once they were tricked into connecting their wallet.
“This incident shows the increasing sophistication of cybercriminals,” Check Point Research noted. “Users must be vigilant, even when apps appear legitimate.” They also called on app stores to improve their security vetting to prevent similar breaches in the future.
The Takeaway
This event is a sobering reminder that even seemingly harmless apps on trusted platforms like Google Play can pose serious risks. For crypto users, every interaction—no matter how minor—can have devastating consequences if you’re not careful.
Key lesson: Always double-check the authenticity of any crypto-related app, and be cautious when granting permissions or linking your wallet.
The fake WalletConnect app has since been removed, but the damage underscores the need for ongoing education about the risks in the evolving world of Web3 technologies.
Stay safe, and always be on the lookout for suspicious apps! 👀
#CryptoSecurity #WalletDrainScam #MobileCryptoRisks #Web3Safety