The Check Point Research (CPR) discovered a malicious CryptoDrainer application on Google Play, designed for the theft of cryptocurrency. This marks the first time that Drainer has specifically targeted mobile devices. The app managed to evade detection methods and remained on the store for nearly 5 months before it was eventually removed.
Disguised as “Walletconnect – Crypto Wallet,” the app posed as a tool for working with Web3 and utilized the name of the widely-used WalletConnect protocol for connecting cryptocurrencies with decentralized applications. By leveraging fake reviews and a well-known brand, the app was able to attract over 10,000 downloads, appearing prominently in Google Play search results.
Through the use of social engineering tactics and sophisticated crypto-stealing tools, the attackers were able to siphon off around $70,000 worth of cryptocurrency from approximately 150 victims.
The malicious CryptoDrainer app targeted digital assets, such as NFTs and cryptocurrency tokens, using phishing techniques and smart contracts to carry out fraudulent transactions. By redirecting users to fake websites that mimicked legitimate platforms, the scammers were able to trick victims into unknowingly transferring their assets to the attackers’ accounts.
While WalletConnect is an open-source protocol meant to establish secure connections between decentralized applications (DApps) and cryptocurrencies, the scammers exploited user confusion over connecting with WalletConnect. Issues arose due to certain wallets not supporting WalletConnect and compatibility problems with outdated wallet versions, leading to vulnerabilities that scammers could exploit.
The app was built using the Median.co service, which enabled the transformation of a website into a mobile application. By appearing as a simple Mestox Calculator calculator upon loading in a browser, the app managed to circumvent Google Play’s security checks while running its malicious functions behind the scenes.
Within the app, a deceptive functionality prompted users to sign transactions under the pretense of verifying their wallets on the ConnectProtocol resource, where assets were subsequently redirected to the attackers’ accounts without the users’ knowledge.
The MS Drainer tool embedded in the application supports various blockchains, including Ethereum, BNB Smart Chain, and Polygon, facilitating quick asset discovery from victims.
To defend against such threats, users are advised to thoroughly vet applications before downloading them, while app stores are urged to enhance their verification processes. Educational campaigns within the crypto community also serve a crucial role in raising awareness about the risks associated with Web3 technologies.