Cybersecurity researchers have discovered a malicious Android application on the Google Play Store that enabled cybercriminals to steal approximately $70,000 worth of cryptocurrency from victims over nearly five-month period.
The dubious app, posing as an open-source protocol certified by Verify Level, deceived customers by masquerading as a reputable option, ultimately tricking them into installing it.
The cybersecurity firm notes that “faux opinions and persistent branding” enabled their app to garner over 10,000 downloads, with search rankings significantly improved as a result. This marks the first instance of a cryptocurrency-based malware targeting mobile device users directly.
More than 150 victims are thought to have fallen prey to the scam, with the actual number potentially higher as it is unclear which users who downloaded the app were affected by the cryptocurrency draining malware.
The marketing campaign concerned distributing a misleading app that glided by a number of names equivalent to “Mestox Calculator,” “WalletConnect – DeFi & NFTs,” and “WalletConnect – Airdrop Pockets” (co.median.android.rxqnqb).
Although the app is no longer available for download from the official app store, data from SensorTower indicates it once gained popularity in Nigeria, Portugal, and Ukraine, with ties to a developer credited as.
Additionally, the developer is linked to another prominent Android app, “Uniswap DeFi” (com.lis.uniswapconverter), which maintained an active presence on the Google Play Store from May to June 2023. Although it is currently unclear whether the app exhibited any malicious behavior.
Despite these concerns, apps may still be downloaded from third-party sources, underscoring the risks associated with acquiring APK files from alternative marketplaces.
The instant an unsuspecting user downloads the fake WallConnect app, it is engineered to hijack their device by diverting them to a fraudulent website utilizing IP address and User-Agent string information, before subsequently rerouting them to a phishing site masquerading as Web3Inbox.
To circumvent detection by Google’s app review process, malicious actors targeting customers who fail to meet required standards, along with those accessing from desktop net browsers, are redirected to a professional website.
Beyond disabling evaluation and debugging features, the malware’s primary component is a cryptocurrency drainer, commonly referred to as MS Drainer, which compels users to link their wallets and initiate multiple transactions to verify their funds.
The information entered by the victim at each stage is transmitted to a command-and-control server (cakeserver[.]online), which subsequently dispatches a response containing instructions to initiate malicious transactions on the system and redirect the funds to a wallet address controlled by the attackers.
“According to Verify Level researchers, the malicious app deceives users by inducing them to sign a transaction from their digital wallets, mirroring tactics used in the theft of native cryptocurrencies.”
“The transaction enables the attacker, through permission granted by the sufferer, to execute a specific smart contract function (‘Tackle’) with address 0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF, which allows for the transfer of up to a certain quantity of the designated asset, subject to any contractual limitations.”
Upon completing the next stage, the attacker redirects the victim’s digital assets to a designated wallet address, specifically 0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1, under their control.
Moreover, this loophole enables malicious actors to continuously drain a victim’s digital assets without further action, provided the user fails to rescind their consent allowing token withdrawals from their wallets.
Verified level stated it also identified another malicious app, “WalletConnect | Web3 Inbox” (co.median.android.kaebpq), which was previously available on the Google Play Store in February 2022. The app has surpassed 5,000 downloads, a significant milestone in its early stages.
The recent security breach underscores the escalating complexity of cybercrime tactics, particularly in the realm of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets.
The insidious app exploited novel attack surfaces, sidestepping traditional vulnerabilities such as permission tampering and keystroke logging. The app exploited unsuspecting users with shoddy contracts and misleading links, quietly siphoning off their assets as soon as they fell prey to its deceit.
