Fake Wallet App Gets 10,000 Downloads on Google Play and Steals $70,000 in Cryptocurrencies
3 min readA fraudulent cryptocurrency wallet app on Google Play has reportedly stolen $70,000 from users in a sophisticated scam that has been described as a world-first for targeting exclusively mobile users.
The malicious app, called WalletConnect, imitated the legitimate WalletConnect protocol, but was actually an elaborate scheme to drain crypto wallets.
According to Check Point Research (CPR), the cybersecurity company that uncovered the scam, the fraudulent app managed to trick more than 10,000 users into downloading it.
Fraudsters market fraudulent app as solution to Web3 problems
The scammers behind the app were well aware of the typical problems faced by Web3 users, such as compatibility issues and the lack of support for WalletConnect by various wallets.
They cleverly marketed the fraudulent app as a solution to these problems and took advantage of the lack of an official WalletConnect app in the Play Store.
Combined with a number of fake positive reviews, the app appeared legitimate to unsuspecting users.
While the app was downloaded over 10,000 times, the CPR investigation identified transactions linked to more than 150 crypto wallets, indicating the number of people who actually fell victim to the scam.
Once installed, the app asked users to link their wallets and claimed to provide secure and seamless access to web3 applications.
However, when users authorized transactions, they were redirected to a malicious website that intercepted their wallet details, including the blockchain network and known addresses.
By exploiting the mechanics of smart contracts, the attackers were able to initiate unauthorized transfers and thus withdraw valuable cryptocurrency tokens from victims’ wallets.
The total loot from this operation was estimated at about $70,000.
Despite the app’s malicious intent, only 20 victims left negative reviews on the Play Store, which were quickly overshadowed by numerous fake positive reviews.
This allowed the app to remain undetected for five months until its true nature was revealed and it was removed from the platform in August.
“This incident is a wake-up call for the entire digital asset community,” said Alexander Chailytko, manager of cybersecurity, research and innovation at CPR.
He stressed the need for advanced security solutions to prevent such sophisticated attacks and urged both users and developers to take proactive steps to protect their digital assets.
Google removes malicious versions of the CPR app
In response to these findings, Google stated that all malicious versions of the app identified by CPR were removed prior to the report’s publication.
The tech giant stressed that its Google Play Protect feature is designed to automatically protect Android users from known threats, even if they come from outside the Play Store.
The incident follows a recent campaign uncovered by Kaspersky in which 11 million Android users unknowingly downloaded apps infected with Necro malware, resulting in unauthorized subscription charges.
In another attempt, cybersecurity scammers are using automated email responses to compromise systems and secretly distribute crypto-mining malware.
This follows another malware threat discovered in August.
The “Cthulhu Stealer,” which affects MacOS systems, also disguises itself as legitimate software and targets personal data, including MetaMask passwords, IP addresses, and private keys for cold wallets.