Security researchers have made a groundbreaking discovery of crypto drainer malware that specifically targets mobile users. This malicious software was uncovered hidden within an app on Google Play by Check Point Research (CPR). The app in question, WalletConnect, managed to accumulate over 10,000 downloads and stole approximately $70,000 in cryptocurrency from unsuspecting victims before Google eventually removed it from the platform.
Initially uploaded in March 2024, this malware was crafted to replicate the legitimate Web3 open-source protocol WalletConnect and operated undetected for a staggering five months. The developers behind this malware took strategic measures to evade detection by both automated systems and manual searches. They employed techniques such as redirects and user-agent checking to fly under the radar.
WalletConnect, the authentic application, was designed to streamline the connection between decentralized applications and crypto wallets. Despite its intended purpose, users encountered challenges due to compatibility issues with certain wallets and outdated versions. Exploiting these complexities, the attackers deceived users by offering a seemingly easy solution through the counterfeit WalletConnect app on Google Play.
Upon downloading the malicious version, users were prompted to link their crypto wallet, which surreptitiously redirected them to a malicious website. Subsequently, users were required to verify the selected wallet and authorize multiple transactions. Each user action triggered encrypted messages to a command-and-control (C&C) server, retrieving information about the user’s wallet, blockchain networks, and addresses.
The malware was programmed to prioritize withdrawing the most valuable crypto tokens first before moving on to others, executing this process across all relevant blockchain networks. Despite the significant financial losses incurred by victims, only a small fraction left negative reviews on Google Play. This implies that there may be numerous victims who remain unaware of the theft of their funds.
In response to negative reviews, the malware developers resorted to flooding the app’s page with fabricated positive reviews to mask the negative feedback and maintain the facade of legitimacy. Google Play eventually took action and removed the malicious application to prevent further harm to unsuspecting users. This incident serves as a stark reminder of the evolving threat landscape facing mobile users in the realm of cryptocurrency.