A report from Check Point Research (CPR) found a drainage app for crypto wallets in the Google Play store, disguised as the popular WalletConnect app. CPR found that the app used “advanced escape technology” to steal $70,000 (about Rs 5.86 lakh) from unsuspecting users for five months. After analyzing JavaScript code, the malicious application, known as “MS Driner”, is part of an increasingly mature crypto scam trend. The FBI’s recent report also warns that cybercriminals have become more effective in carrying out global attacks.
“Check Point Research (CPR) discovered a malicious application in the Google Play Store designed to steal cryptocurrencies, marking the first time the drainer is targeting mobile device users. To serve as a legitimate tool for Web3 applications, the attacker exploited the trusted name of the WalletConnect protocol, which connects crypto wallets to decentralized applications.”
The deleted crypto wallet app has now managed to amass over 10,000 downloads. The fake platform appeared when searching for the Google Play Store because the CPR report was marked as “forged”.
What is WalletConnect
WalletConnect is an open source protocol that connects decentralized applications (DAPPs) with crypto wallets through QR codes, allowing users to interact with blockchain-based applications without having to expose their private keys.
According to Check Point Research (CPR), a fake application is created using Web Service Metian.co. Originally named “Mestox Calculator”, the app was released on the Google Play Store on March 21, 2024, and its name has changed several times since.
“Inexperienced users may conclude that it is a separate wallet application that needs to be downloaded and installed. The attacker hijacked the confusion and hoped that the user would search for WalletConnect applications in the application store,” the report noted.
WalletConnect’s X-handle acknowledges this development in the notes of its followers.
WalletConnect Foundation knows about the recent scam, and the Bad Actor has developed a malicious app that takes advantage of the WalletConnect name and is found in the Google Play Store. The app has been removed from the Google Play Store. The foundation reminds everyone that there is no…
– WalletConnect (@walletConnect) September 29, 2024
How the Malicious Scammers at WalletConnet work
After downloading, the fake app quickly prompts the user to connect to their encrypted wallet. When users click on the wallet button, they redirect it to a malicious website via deep links. To verify its wallet, the website requires users to approve multiple transactions in succession and authorize fraudulent activities unconsciously.
“We assume that users have installed this malicious application to connect their wallet to a Web3 application that does not support wallets like MetAmask, Binance Wallet, or Trust Wallet, but only uses the WalletConnect protocol. They may want the downloaded WalletConnect application to be used as a proxy. Therefore, the connection request does not seem suspicious,” the report explains.
CPR said in its report that such events highlight the progressive nature of the technology used to target the cryptocurrency industry, currently worth $2.27 trillion (approximately Rs 1,90,20,20,364 crore). The website strongly recommends that users stay alert and be alert about the apps they download, even if they look legal.
Back in 2023, a Sophos report said that crypto scammers have used AI tools to phish on Android systems. Crypto fraudsters are also believed to be leveraging ads on Google search to facilitate scam sites.
