Malicious Crypto Wallet Drainer Found on Google Play for Months, Stole $70K

A recent report by IT security firm Check Point Research reveals that a malicious crypto wallet drainer was available on the Google Play store for several months, managing to steal over $70,000 from users. This marks the first instance of wallet-draining attacks targeting mobile users exclusively.

The fraudulent app disguised itself as the WalletConnect protocol, a popular tool used to link various crypto wallets to decentralized finance (DeFi) applications. According to Check Point's September 26 blog post, the app employed "advanced evasion techniques" to evade detection and accumulated over 10,000 downloads by leveraging fake reviews and consistent branding.

More than 150 users fell victim to the scam, although not all app users were affected—some either did not connect their wallets or recognized the scam before being compromised. Check Point noted that the app, available since March 21, utilized sophisticated tactics to remain undetected for over five months before being removed.

Similar to other wallet-draining scams, the fake app prompted users to connect their wallets, a request that seemed legitimate. Users were then asked to grant various permissions to "verify their wallet," inadvertently allowing the attackers to transfer the maximum amount of specified assets from their wallets.

The app was designed to retrieve the value of all assets in the victim's wallets, first attempting to withdraw higher-value tokens, followed by cheaper ones. Check Point emphasized that this incident underscores the increasing sophistication of cybercriminal strategies, as the app did not rely on traditional methods like keylogging or excessive permissions. Instead, it utilized smart contracts and deep links to silently drain assets once users were tricked into using the app.

Researchers urged users to exercise caution when downloading applications, even those that appear legitimate, and called for app stores to enhance their verification processes to prevent the distribution of malicious apps. They stressed the need for ongoing education within the crypto community about the risks associated with Web3 technologies, as even seemingly harmless interactions can lead to significant financial losses.

Google has not yet responded to requests for comment regarding the incident. The malicious app was initially published under the name "Mestox Calculator" and underwent several name changes, but its URL always pointed to a seemingly benign calculator website. This tactic allowed attackers to navigate Google Play's review process undetected, as both automated and manual checks would load the harmless-looking calculator application. Depending on the user’s location and device type, some were redirected to the malicious back-end housing the wallet-draining software known as MS Drainer.