Researchers studying cybersecurity have found a malicious Android app on the Google Play Store that allowed its creators to steal around $70,000 in cryptocurrencies from victims over the course of almost five months.
The suspicious application, detected by Check Point, tricked gullible users into downloading it by posing as the official WalletConnect open-source protocol.
“Fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results.” In research, the cybersecurity firm said that this is the first instance of a bitcoin drainer that has only targeted mobile device users.
It is anticipated that more than 150 users have been duped by the scheme, while it is thought that not every user who downloaded the software was affected by the cryptocurrency drainer.
The campaign involved distributing a deceptive app that went by several names, such as “Mestox Calculator,” “WalletConnect—DeFi & NFTs,” and “WalletConnect—Airdrop Wallet” (co.median.android.rxqnqb).
The app was tied to a developer by the name of UNS LIS and was popular in Nigeria, Portugal, and Ukraine, according to data from app analytics firm Sensor Tower, even though it is no longer available for download from the official app marketplace.
Additionally, the creator is linked to another Android software named “Uniswap DeFI” (com.lis.uniswapconverter), which was available on the Play Store for roughly a month between May and June of 2023. Whether the program contained any harmful functionality is unknown at this time.
The fact that both programs are available for download from unaffiliated app stores serves as further evidence of the dangers associated with obtaining APK files from unofficial sources.
After installation, users of the phoney WallConnect program will be redirected to a phoney website based on their IP address and User-Agent string; if this is not the case, they will be redirected to another website that appears to be similar to Web3Inbox.
In order to avoid detection, users who don’t fit the requirements—such as those who access the URL through a desktop web browser—are redirected to a reputable website. This essentially allows the threat actors to go around the Play Store’s app approval process.
The main element of the virus is a cryptocurrency drainer called MS Drainer, which asks users to connect their wallet and sign many transactions to validate their wallet in addition to taking precautions against analysis and debugging.
The victim enters information into each stage, which is sent to a command-and-control server (cakeserverl.lonline). The attackers use this server to send instructions back to the victim, telling it to initiate malicious transactions on the device and move the funds to their wallet address.
“Similar to the theft of native cryptocurrency, the malicious app first tricks the user into signing a transaction in their wallet,” Check Point researchers said.
“Through this transaction, the victim grants permission for the attacker’s address. Oxf721d710e7C27323CC0AeE847bA01147b0fb8 dBF (the ‘Address’ field in the configuration) to transfer the maximum amount of the specified asset (if allowed by its smart contract).”
The tokens from the victim’s wallet are then moved to an attacker-controlled wallet (Oxfac247a19Cc49dbA87130336d3fd8dc8b6b94 4e1) in the following step.
This implies that the attackers can continue to take advantage of the digital assets as soon as they appear without the victim having to take any additional action, provided that the victim does not remove authorization to withdraw tokens from their wallet.
According to Check Point, it has also discovered a second malicious software with comparable functionality called “Walletconnect | Web3Inbox” (co.median.android.kaebpq), which was earlier in the Google Play Store in February 2024.
It attracted more than 5,000 downloads.
“This incident highlights the growing sophistication of cybercriminal tactics, particularly in the realm of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets,” the company noted.
“The malicious app did not rely on traditional attack vectors like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were tricked into using the app.”
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
