Cyber ​​security researchers at Check Point have discovery a malicious Android app on the Google Play Store that enabled the authors behind it of stealing approximately $70,000 in cryptocurrency from victims over a period of nearly five months.

The cryptocurrency stealing app on Android: what is known about it

The fraudulent Android application, identified by Check Pointpassed itself off as the legitimate open-source protocol WalletConnect to trick unsuspecting users into downloading it.

“Fake reviews and consistent branding have helped the app reach over 10,000 downloads and rank high in search results“, ha stated the cybersecurity company in an analysis, adding that it is the first time a cryptocurrency thief has exclusively targeted mobile users.

WalletConnect

It is estimated that over 150 users have fallen victim to the scam, although not everyone who downloaded the application is believed to have been affected by the cryptocurrency theft.

The campaign involved the distribution of a deceptive app that presented itself with various names such as “Mestox Calculator”, “WalletConnect – DeFi & NFTs” and “WalletConnect – Airdrop Wallet” (co.median.android.rxqnqb).

Although the app is no longer available for download from the official marketplace, data from SensorTower show which was popular in Nigeria, Portugal and Ukraine, and was linked to a developer called UNS LIS.

The developer was also associated with another Android app called “Uniswap DeFI” (com.lis.uniswapconverter) which remained active on the Play Store for about a month between May and June 2023; it is currently unknown whether the app had malicious functionality.

Malicious Android application that disguised itself as a legitimate application on the Google Play Store

However, both Android apps can be downloaded from third-party app store sources, once again highlighting the risks associated with downloading APK files from other marketplaces.

The harm of a deceptive application that imitates a legitimate one

Once installed, the fake WalletConnect app is designed to redirect users to a fake website based on their IP address and User-Agent string, and subsequently redirect them a second time to another site that imitates Web3Inbox.

Users who do not meet the required criteria, including those visiting the URL from a desktop web browser, are redirected to a legitimate website to evade detection, effectively allowing cybercriminals to bypass the app review process on Play Store.

In addition to taking measures to prevent analysis and debugging, the main component of the malware is a cryptocurrency thief known as MS Drainer, which pushes users to connect their wallet and sign several transactions to verify it.

Chart showing the modus operandi of the attacker(s) to steal cryptocurrency money in their digital wallets

The information entered by the victim at each stage is transmitted to a command and control server (cakeserver[.]online) which, in turn, sends a response containing instructions to activate malicious transactions on the device and transfer the funds to a wallet address belonging to the attackers.

The conclusions of Check Point cybersecurity researchers

“Similar to native cryptocurrency theft, the malicious app first tricks the user into signing a transaction in their wallet“Check Point researchers said.

Check Point cybersecurity researchers later reported: “Through this transaction, the victim grants permission to the attacker’s address 0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF (the ‘Address’ field in the configuration) to transfer the maximum quantity of the specified asset (if allowed by its smart contract).“

In the next step, tokens from the victim’s wallet are transferred to another wallet (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1) controlled by the attackers.

This also means that, if the victim does not revoke permission to withdraw tokens from his wallet, attackers can continue to withdraw digital assets as they appear, without requiring further action.

Check Point has also identified another malicious app with similar characteristics, “Walletconnect | Web3Inbox” (co.median.android.kaebpq), which was previously available on the Google Play Store in February 2024; it attracted over 5,000 downloads.

“This incident highlights the growing sophistication of cybercriminal tactics, particularly in the field of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets“, the company noted, concluding: “The malicious app did not rely on traditional attack vectors such as permissions or keylogging. Instead, used smart contracts and deep links to silently empty assets once users were tricked into using the app.”