HomeCrimeHow a Crypto Drainer Lived on Google Play for Five Months to...

How a Crypto Drainer Lived on Google Play for Five Months to Steal $70,000

-

A mobile-only crypto scam revolved around an app available for download on Google Play. The hackers responsible for the app remained one step ahead of Google’s detection measures.

A malicious app impersonating the WalletConnect app was up on the Google Play store for five months, aiding cybercriminals to grab at least $70,000 from unsuspecting users. Surprisingly, this phishing method the bad actors used targeted only mobile users. 

Cybersecurity firm Check Point Research released a case study about the application—now delisted from Google Play—to inform the crypto community about shifting tides in cybercrime related to digital assets. Those behind the drainer utilized advanced measures to evade Google’s checks and siphon funds from crypto holders.

The app copied the popular WalletConnect, an aggregator of users’ wallets that connects them to DeFi protocols conveniently using QR codes and other measures. Essentially, it removes the hassles associated with interacting with DeFi, letting users access protocols from their mobile phones while not revealing their private keys in any step. These features get many users to rely on WalletConnect.

Knowing users would actively look for such an app, the bad actors launched their version, resembling WalletConnect’s likeness and branding. They also flooded it with numerous fake reviews—many not even relevant to what WalleConnect does. “Application reviews are evidently fake, as they are unrelated to the app’s actual content. After analyzing review pages, we found prevalent fake reviews in English, French, and Spanish,” Check Point said.

Numerous Checks to Scam Only the Right Users

Users hopping on the app get redirected to a seemingly harmless website called Mestox Calculator. Since nothing nefarious occurred from the get-go on the app itself, Google could not identify the real reason behind its existence. However, the website analyzes the users’ footprints to study their IP addresses and more, filtering worthy candidates from the rest. Another round of such filtering and those making it through will trigger MS Drainer, a malware meant to empty users’ wallets.

Source: Check Point Research

With that, users are asked to connect their wallets to the app and provide permissions for numerous requirements, which a regular crypto-related app would not ask. Upon providing those permissions, MS Drainer does its trick to steal all the funds from users’ wallets. Unlike other crypto drainers that use methods like keylogging for hacking purposes, this fake app uses smart contracts to plunder assets in the order of their value: assets valued high first and the rest later.

“This incident highlights the growing sophistication of cybercriminal tactics,” Check Point mentioned.

FOLLOW US

Upcoming Events

Most Popular