Crypto wallet drainer was on Google Play for months, stole $70K: Report

IT security firm Check Point Research has uncovered a crypto wallet drainer that used “advanced evasion techniques” on the Google Play store to steal over $70,000 in five months.

The malicious app disguised itself as the WalletConnect protocol, a well-known app in the crypto space that can link a variety of crypto wallets to decentralized finance (DeFi) applications.

The company said in a Sept. 26 blog post that it marks “the first time drainers exclusively targeted mobile users.”

“Fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results,” Check Point Research said.

Over 150 users were drained of around $70,000 — not all app users were targeted as some didn’t connect a wallet or saw it was a scam. Others “may not have met the malware’s specific targeting criteria,” Check Point Research said.

It added the fake app was made available on Google’s app store on March 21 and used “advanced evasion techniques” to remain undetected for over five months. It has now been removed.

The app was first published under the name “Mestox Calculator” and was changed several times while its application URL still pointed to a seemingly harmless website with a calculator. 

“This technique allows attackers to pass the app review process in Google Play, as automated and manual checks will load the ‘harmless’ calculator application,” the researchers said. 

However, depending on the user’s IP address location and if they were using a mobile device, they were redirected to the malicious app back-end that housed the wallet-draining software MS Drainer.

Much like other wallet-draining schemes, the faked WalletConnect app prompted users to connect a wallet — which would not have been suspicious due to how the real app works.

Users are then asked to accept various permissions to “verify their wallet,” which grants permission for the attacker’s address “to transfer the maximum amount of the specified asset,” Check Point Research said.

Related: Polymarket users complain of mysterious Google login wallet attacks

“The application retrieves the value of all assets in the victim’s wallets. It first attempts to withdraw the more expensive tokens, followed by the cheaper ones,” it added.

“This incident highlights the growing sophistication of cybercriminal tactics,” Check Point Research wrote. “The malicious app did not rely on traditional attack vectors like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were tricked into using the app.”

It added users must be “wary of the applications they download, even when they appear legitimate” and that app stores must improve their verification process to stop malicious apps.

“The crypto community needs to continue to educate users about the risks associated with Web3 technologies,” the researchers said. “This case illustrates that even seemingly innocuous interactions can lead to significant financial losses.”

Google did not immediately respond to a request for comment.

Crypto-Sec: 2 auditors miss $27M Penpie flaw, Pythia’s ‘claim rewards’ bug