Security researchers have for the first time found crypto drainer malware exclusively targeting mobile users, after discovering it hidden in an app on Google Play.
Check Point Research (CPR) said the app in question, WalletConnect, accrued over 10,000 downloads and stole around $70,000 in cryptocurrency from victims, until it was removed by Google.
First uploaded in March 2024, it was designed to mimic the legitimate Web3 open-source protocol WalletConnect, and apparently went undetected for five months.
It was developed to avoid detection by both automated systems and manual searches, through redirects and user-agent checking techniques.
Read more on crypto drainers: Crypto Drainer Steals $59m Via Google and X Ads
The legitimate WalletConnect was developed to make it easier to connect decentralized applications with crypto wallets. However, users still find it challenging because not all wallets support it and some don’t have the latest version, CPR said.
“Cleverly, attackers exploited the complications of WalletConnect and tricked users into thinking that there was an easy solution – the falsified WalletConnect app on Google Play,” it continued.
When victims download the malicious version, they’re prompted to connect their crypto wallet, which covertly directs it to a malicious website.
“Users then must verify the selected wallet and are asked to authorize several transactions,” explained CPR.
“Each user action sends encrypted messages to the command-and-control (C&C) server and retrieves details about the user’s wallet, blockchain networks and addresses.”
The malware was apparently designed to withdraw the more expensive crypto tokens first, before moving on to the others, and performing the process across all relevant blockchain networks.
“Only 20 users whose money was stolen left negative reviews on Google Play, suggesting that there are still many victims who may still be unaware of what happened to their money,” CPR warned.
“When the app received such negative reviews, the malware developers deviously flooded the page with fake positive reviews instead to mask the negative reviews, and make the app appear legitimate, to mislead other potential victims. Google Play has since removed the application.”