Mobile Users Targeted by Crypto Drainer Malware Disguised as WalletConnect App
Security researchers have recently uncovered a new threat in the form of crypto drainer malware specifically aimed at mobile users. This malicious software was discovered hidden within an app on Google Play by Check Point Research (CPR). The app, named WalletConnect, managed to accumulate over 10,000 downloads and siphon off approximately $70,000 worth of cryptocurrency from unsuspecting victims before it was eventually removed by Google.
Initially uploaded in March 2024, the malware was cleverly disguised to mimic the legitimate Web3 open-source protocol WalletConnect. Its design allowed it to remain undetected for a period of five months, utilizing techniques such as redirects and user-agent checking to evade both automated systems and manual searches.
Exploiting the Complexity of WalletConnect
WalletConnect was originally created to streamline the connection between decentralized applications and crypto wallets. However, due to various challenges faced by users, such as wallet compatibility issues and outdated versions, some individuals found it difficult to use. Seizing upon this opportunity, the attackers behind the malicious WalletConnect app on Google Play exploited these complexities to lure users into downloading the counterfeit version.
Upon installation, victims were prompted to link their crypto wallet, which surreptitiously directed them to a malicious website. Subsequently, users were required to verify their selected wallet and authorize multiple transactions, unknowingly sending encrypted messages to a command-and-control (C&C) server. This allowed the malware to extract details about the user’s wallet, blockchain networks, and addresses.
Deceptive Tactics and Concealed Theft
The crypto drainer malware was specifically designed to prioritize the withdrawal of more valuable crypto tokens before moving on to less valuable ones, executing this process across all relevant blockchain networks. Despite the significant financial losses incurred by victims, only a small fraction of affected individuals left negative reviews on Google Play. This suggests that there may still be numerous victims unaware of the theft of their funds.
Upon receiving negative feedback, the malware developers resorted to flooding the app’s page with fake positive reviews to mask the negative feedback and maintain the illusion of legitimacy. However, Google Play eventually took action and removed the malicious WalletConnect app from its platform.