Last updated:
A fraudulent cryptocurrency wallet app on Google Play has reportedly stolen $70,000 from users in a sophisticated scam that has been described as a world-first for targeting mobile users exclusively.
The malicious app, named WalletConnect, mimicked the reputable WalletConnect protocol but was, in fact, a sophisticated scheme to drain crypto wallets.
The deceptive app managed to deceive over 10,000 users into downloading it, according to Check Point Research (CPR), the cybersecurity firm that uncovered the scam.
Scammers Market Fraudulent App as Solution to Web3 Issues
The scammers behind the app were well aware of the typical challenges faced by web3 users, such as compatibility issues and the lack of widespread support for WalletConnect across different wallets.
They cleverly marketed the fraudulent app as a solution to these problems, taking advantage of the absence of an official WalletConnect app on the Play Store.
Coupled with a slew of fake positive reviews, the app appeared legitimate to unsuspecting users.
While the app was downloaded over 10,000 times, CPR’s investigation identified transactions linked to more than 150 crypto wallets, indicating the number of individuals who actually fell victim to the scam.
Once installed, the app prompted users to link their wallets, claiming to offer secure and seamless access to web3 applications.
However, as users authorized transactions, they were redirected to a malicious website that harvested their wallet details, including the blockchain network and known addresses.
Exploiting the mechanics of smart contracts, the attackers were able to initiate unauthorized transfers, siphoning off valuable cryptocurrency tokens from the victims’ wallets.
The total haul from this operation was estimated to be around $70,000.
Despite the app’s malicious intent, only 20 victims left negative reviews on the Play Store, which were quickly overshadowed by numerous fake positive reviews.
This allowed the app to remain undetected for five months until its true nature was exposed and it was removed from the platform in August.
“This incident serves as a wake-up call for the entire digital asset community,” said Alexander Chailytko, cybersecurity, research, and innovation manager at CPR.
He emphasized the need for advanced security solutions to prevent such sophisticated attacks, urging both users and developers to take proactive steps to secure their digital assets.
Google Removes Malicious Versions of CPR App
Google, in response to these findings, stated that all malicious versions of the app identified by CPR were removed before the report’s publication.
The tech giant highlighted that its Google Play Protect feature is designed to automatically protect Android users against known threats, even when they stem from outside the Play Store.
The incident follows a recent campaign exposed by Kaspersky, in which 11 million Android users unknowingly downloaded apps infected with Necro malware, resulting in unauthorized subscription charges.
In another attempt, Cybersecurity scammers are using automated email replies to compromise systems and deliver stealthy crypto mining malware.
This comes on the heels of another malware threat identified in August.
The “Cthulhu Stealer,” which affects MacOS systems, similarly disguises itself as legitimate software and targets personal information, including MetaMask passwords, IP addresses, and cold wallet private keys.