Highlights

• Fake WalletConnect app masqueraded as a calculator, bypassing security checks.
• Over $70,000 stolen from more than 150 users.
•  The app went undetected for five months on Google Play.
• Users were tricked into connecting their crypto wallets and approving malicious transactions.

A significant crypto theft incident has shaken the Google Play Store community, with more than 150 victims losing over $70,000 to a fake WalletConnect app.

The malicious application, which masqueraded as a harmless calculator, remained undetected on the Google Play Store for over five months, wreaking havoc among unsuspecting users.

Fake WalletConnect App Goes Undetected

The fake WalletConnect app first appeared on March 21, 2024, under the name "Mestox Calculator," evading detection for over five months. The malicious software fooled Google Play Store security checks by appearing as a harmless calculator, while in reality, it housed a dangerous crypto wallet-draining software known as MS Drainer.

The cybersecurity firm Check Point Research (CPR), in a lengthy report, brought the issue to light on September 26, uncovering the app's true purpose. By then, the app had been downloaded over 10,000 times, and 150 victims had fallen prey to the scam, losing a total of $70,000 worth of cryptocurrency.

The app was able to avoid detection by changing names several times, but consistently used social engineering tactics, including fake reviews and well-crafted branding, to climb high in search results.

How the Crypto Theft Unfolded

Once installed, the Fake WalletConnect app prompts users to connect their crypto wallets, asking for various permissions. Once these permissions were granted, the app initiated fraudulent transactions, allowing the attackers to drain users’ wallets. Users were unaware of the consequences as they believed they were approving legitimate actions.

The malicious software used advanced techniques to target specific users based on their IP address and to confirm if they were using a mobile device. This helped the scammers avoid detection and remain active for several months on Google Play.

According to CPR, the app was designed to trigger fraudulent transactions that transferred funds to the scammers' wallets once the unsuspecting users had given the necessary permissions.

Google Play Removes the App

Following the report by Check Point Research, the Fake WalletConnect app was removed from Google Play on September 29, 2024, preventing further victims. However, by then, significant damage had already been done, with victims collectively losing $70,000 in crypto theft.

"Fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results," said Check Point Research, highlighting the growing risk of crypto-targeted phishing scams on mobile platforms.

Final Notes

The Fake WalletConnect app incident serves as a stark reminder of the growing risks in the crypto space, especially on mobile platforms like Google Play.

With over $70,000 lost in this phishing attack, it highlights the need for heightened caution among users when interacting with cryptocurrency apps.

As phishing techniques become more sophisticated, it's crucial for users to double-check the legitimacy of applications and avoid granting permissions without thorough verification.

Staying informed and cautious can be the key to avoiding similar attacks and protecting valuable digital assets.