Beware of THIS Crypto Wallet Drainer App On Google Play Store That Could Steal All Your Assets

A recent investigation by Check Point Research (CPR) has unveiled a fraudulent app disguised as the widely-used WalletConnect tool on the Google Play Store. The app, identified as "MS Drainer," has reportedly siphoned off approximately $70,000 (around Rs 58.6 lakh) from unsuspecting cryptocurrency users over a five-month period, employing sophisticated evasion tactics to do so.

According to the CPR report, this incident marks a notable shift, as it represents the first instance of a crypto-draining application exclusively targeting mobile users. The malicious actors leveraged the credibility of the WalletConnect protocol, which facilitates connections between crypto wallets and decentralised applications (dApps), to present their app as a legitimate resource for Web3 users.

The fake app, which has since been removed from the platform, accumulated over 10,000 downloads and was prominently featured in search results for "WalletConnect" due to a series of manipulated reviews flagged by CPR as fraudulent.

What Is WalletConnect?

WalletConnect is an open-source protocol designed to link decentralised applications with crypto wallets through QR codes, enabling users to engage with blockchain applications securely without compromising their private keys.

The fake WalletConnect app, initially launched under the name "Mestox Calculator" on March 21, 2024, was constructed using the web service Median.co and has undergone several name changes since its debut. 

CPR's report notes that inexperienced users might mistake the app for a legitimate wallet, leading them to download it under the assumption that it is necessary for connecting to certain dApps. The attackers exploit this confusion, aiming to attract users searching for WalletConnect on app stores.

How Does The App Work?

Once installed, the counterfeit app urges users to link their crypto wallets. Clicking on wallet connection buttons redirects users to a malicious site via deep links, where they are prompted to approve multiple transactions, unknowingly permitting fraudulent activities.

CPR explains, “Users likely install this malicious app to facilitate connections to Web3 applications that don’t support direct integration with wallets like MetaMask, Binance Wallet, or Trust Wallet, expecting it to act as an intermediary. Consequently, the connection request seems harmless.”

The report underscores the increasing sophistication of cybercriminal tactics targeting the crypto industry, currently valued at approximately $2.27 trillion (around Rs 1.90 lakh crore). CPR emphasises the importance of exercising caution when downloading apps, even those that appear legitimate.

In a related context, a 2023 report by Sophos highlighted that crypto scammers have been targeting Android users with AI tools and exploiting Google Search advertisements to promote scam sites.