Identified by Check Point, the fraudulent app posed as the legitimate WalletConnect open-source protocol, luring unsuspecting users into downloading it.
The app gained over 10,000 downloads due to fake reviews and consistent branding, helping it rank high in search results. This marks the first instance of a cryptocurrency draining application specifically targeting mobile users.
Approximately 150 individuals are believed to have been affected by the scam, although not all users who downloaded the app experienced losses. The deceptive app was known by several names, including "Mestox Calculator," "WalletConnect - DeFi & NFTs," and "WalletConnect - Airdrop Wallet" (co.median.android.rxqnqb).
While the app has been removed from the official app marketplace, SensorTower data reveals it was particularly popular in Nigeria, Portugal, and Ukraine, linked to a developer named UNS LIS. This developer is also associated with another app called "Uniswap DeFI" (com.lis.uniswapconverter), which was available on the Play Store for about a month between May and June 2023, though its potential malicious functions remain unclear. Both apps can still be found on third-party app stores, underscoring the risks of downloading APK files from unverified sources.
Once installed, the fake WalletConnect app redirects users to a fraudulent website based on their IP address and User-Agent string. Users not meeting certain criteria, such as those accessing the site via desktop, are directed to a legitimate website to evade detection, effectively circumventing the Play Store's app review process.
To prevent analysis and debugging, the malware's core component, known as MS Drainer, prompts users to connect their wallets and authorize multiple transactions. The information entered by victims is sent to a command-and-control server (cakeserver[.]online), which then instructs the device to execute malicious transactions, transferring funds to the attackers' wallet.
According to Check Point researchers, the app first deceives users into signing a transaction that grants permission for the attacker’s wallet (0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF) to withdraw the maximum amount of specified assets, as permitted by the smart contract. Subsequently, tokens from the victim's wallet are transferred to another wallet controlled by the attackers (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1).
If victims do not revoke the permission to withdraw tokens, the attackers can continually extract digital assets without needing further interaction.
Check Point also discovered another malicious app with similar features, "Walletconnect | Web3Inbox" (co.median.android.kaebpq), which was available on the Google Play Store in February 2024 and garnered over 5,000 downloads.
"This incident underscores the increasing sophistication of cybercriminal tactics, especially within decentralized finance, where users often depend on third-party tools and protocols to manage their digital assets," the company stated.
"The malicious app avoided traditional attack methods like excessive permissions or keylogging, opting instead to use smart contracts and deep links to silently deplete assets once users were misled into using the app."
Credit:TheHackerNews.