Crypto Scam App Disguised as WalletConnect Drains $70K

Published on September 30, 2024
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor
Created using Copilot | Powered by DALL.E 3

A malicious Android app masqueraded as the legitimate WalletConnect open-source protocol on the Google Play Store, enabling its creators to siphon approximately $70,000 in cryptocurrency from victims over nearly five months, according to Check Point cybersecurity researchers.

Using names like "Mestox Calculator" and "WalletConnect - DeFi & NFTs," it tricked over 150 victims into downloading it by leveraging fake reviews and consistent branding to rank high in search results.

Upon installation, the app redirected users to a fake website designed to mimic Web3Inbox based on their IP address and User-Agent string. Users visiting from desktops were directed to legitimate sites to evade detection.

Malicious WalletConnect application workflow | Source: Check Point

The core malware component, MS Drainer, deceptively prompted users to connect their wallets and sign transactions, subsequently transmitting data to a command-and-control server. This enabled attackers to execute malicious transactions and transfer funds to their addresses.

ERC-20-and-BEP-20-token-theft
ERC-20-and-BEP-20-token-theft | Source: Check Point

Victim tokens were transferred to a wallet controlled by the attackers. Continued asset drainage is possible unless victims revoke withdrawal permissions from their wallets.

The malicious app was linked to a developer named UNS LIS, who is also associated with another app, "Uniswap DeFI.” The deceptive app showed popularity in Nigeria, Portugal, and Ukraine, marking the first instance of a cryptocurrency drainer exclusively targeting mobile users.

WalletConnect App on Playstore| Source: Check Point

By exploiting smart contracts and deep links rather than traditional methods like keylogging, attackers managed to stealthily drain assets from unsuspecting users. 

The incident highlights the critical need for vigilance when downloading apps, emphasizing the risks associated with third-party APKs and the deceptive allure of fraudulent app reviews.

The FBI issued a warning regarding aggressive North Korean cryptocurrency hackers using social engineering, mainly targeting decentralized finance (DeFi), crypto companies, and connected entities.

In the latest news, threat actors affiliated with North Korea have been seen deploying the COVERTCATCH malware through deceptive job recruitment schemes via LinkedIn, targeting developers in DeFi and the wider Web3 sector.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: