Cybersecurity researchers have found a malicious Android app on the Google Play Retailer that enabled the menace actors behind it to steal roughly $70,000 in cryptocurrency from victims over a interval of practically 5 months.
The dodgy app, recognized by Verify Level, masqueraded because the reliable WalletConnect open-source protocol to trick unsuspecting customers into downloading it.
“Fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results,” the cybersecurity firm mentioned in an evaluation, including it is the primary time a cryptocurrency drainer has solely focused cellular system customers.
Over 150 customers are estimated to have fallen sufferer to the rip-off, though it is believed that not all customers who downloaded the app have been impacted by the cryptocurrency drainer.
The marketing campaign concerned distributing a misleading app that glided by a number of names comparable to “Mestox Calculator,” “WalletConnect – DeFi & NFTs,” and “WalletConnect – Airdrop Wallet” (co.median.android.rxqnqb).
Whereas the app is now not obtainable for obtain from the official app market, information from SensorTower exhibits that it was fashionable in Nigeria, Portugal, and Ukraine, and linked to a developer named UNS LIS.
The developer has additionally been related to one other Android app referred to as “Uniswap DeFI” (com.lis.uniswapconverter) that remained lively on the Play Retailer for a couple of month between Could and June 2023. It is presently not recognized if the app had any malicious performance.
Nonetheless, each apps may be downloaded from third-party app retailer sources, as soon as once more highlighting the dangers posed by downloading APK information from different marketplaces.
As soon as put in, the pretend WallConnect app is designed to redirect customers to a bogus web site based mostly on their IP handle and Consumer-Agent string, and in that case, redirect them a second time to a different website that mimics Web3Inbox.
Customers who do not meet the required standards, together with those that go to the URL from a desktop net browser, are taken to a reliable web site to evade detection, successfully permitting the menace actors to bypass the app assessment course of within the Play Retailer.
In addition to taking steps to forestall evaluation and debugging, the core part of the malware is a cryptocurrency drainer referred to as MS Drainer, which prompts customers to attach their pockets and signal a number of transactions to confirm their pockets.
The data entered by the sufferer in every step is transmitted to a command-and-control server (cakeserver[.]on-line) that, in flip, sends again a response containing directions to set off malicious transactions on the system and switch the funds to a pockets handle belonging to the attackers.
“Similar to the theft of native cryptocurrency, the malicious app first tricks the user into signing a transaction in their wallet,” Verify Level researchers mentioned.
“Through this transaction, the victim grants permission for the attacker’s address 0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF (the ‘Address’ field in the configuration) to transfer the maximum amount of the specified asset (if allowed by its smart contract).”
Within the subsequent step, the tokens from the sufferer’s pockets are transferred to a distinct pockets (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1) managed by the attackers.
This additionally signifies that if the sufferer doesn’t revoke the permission to withdraw tokens from their pockets, the attackers can hold withdrawing the digital property as quickly as they seem with out requiring any additional motion.
Verify Level mentioned it additionally recognized one other malicious app exhibiting related options “Walletconnect | Web3Inbox” (co.median.android.kaebpq) that was beforehand obtainable on Google Play Retailer in February 2024. It attracted greater than 5,000 downloads.
“This incident highlights the growing sophistication of cybercriminal tactics, particularly in the realm of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets,” the corporate famous.
“The malicious app did not rely on traditional attack vectors like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were tricked into using the app.”
