First Mobile-Targeted Wallet Drainer Identified by Check Point Research

Check Point Research, a cybersecurity firm, has discovered a cryptocurrency wallet drainer that employed “advanced evasion techniques” on the Google Play Store, stealing over $70,000 within five months.

The malicious app masqueraded as WalletConnect, a popular application in the crypto space that connects various wallets to decentralized finance (DeFi) platforms. In a blog post on September 26, the company stated that this incident marks the first instance of drainers exclusively targeting mobile users.

“Fake reviews and consistent branding enabled the app to amass over 10,000 downloads by ranking highly in search results,” Check Point Research reported.

More than 150 users fell victim to the scheme, resulting in a total loss of around $70,000. Not all users were affected, as some either didn’t connect a wallet or recognized the app as a scam. Others “may not have met the malware’s specific targeting criteria,” according to the report.

The app was first launched on March 21 under the name “Mestox Calculator” and underwent several name changes while its application URL still pointed to a seemingly benign website with a calculator. 

“This method allowed attackers to bypass the app review process in Google Play, as both automated and manual checks would load the ‘harmless’ calculator application,” the researchers noted.

However, depending on the user’s IP address and whether they were on a mobile device, they were redirected to the malicious app back-end housing the wallet-draining software, MS Drainer.

Similar to other wallet-draining schemes, the counterfeit WalletConnect app prompted users to connect their wallets—a request that wouldn’t raise suspicion due to the functionality of the legitimate app.

Users were then asked to grant various permissions to “verify their wallet,” which allowed the attacker’s address to “transfer the maximum amount of the specified asset.”

“The application retrieves the value of all assets in the victim’s wallets, first attempting to withdraw the more expensive tokens and then the cheaper ones,” the report explained.

“This incident underscores the increasing sophistication of cybercriminal tactics,” Check Point Research stated. “The malicious app did not depend on traditional attack vectors like permissions or keylogging. Instead, it utilized smart contracts and deep links to stealthily drain assets once users were deceived into using the app.”

The researchers emphasized that users must be cautious about the applications they download, even if they appear legitimate, and that app stores need to enhance their verification processes to prevent malicious apps.

“The crypto community must continue educating users about the risks associated with Web3 technologies,” they added. “This case illustrates how even seemingly harmless interactions can result in substantial financial losses.”