Deceptive Cryptocurrency Application Posed as WalletConnect Swipes $70,000 in Five-Month Operation

AndyC 29 September 2024

Sep 28, 2024Ravie LakshmananCryptocurrency / Mobile Security

Cybersecurity experts have stumbled upon a malevolent Android application on the Google Play Store that enabled the cybercriminals behind it to pilfer approximately $70,000 in digital c

Crypto Scam App Disguised as WalletConnect Steals K in Five-Month Campaign

Sep 28, 2024Ravie LakshmananCryptocurrency / Mobile Security

Crypto Scam App Disguised as WalletConnect Steals K in Five-Month Campaign

Cybersecurity experts have stumbled upon a malevolent Android application on the Google Play Store that enabled the cybercriminals behind it to pilfer approximately $70,000 in digital currency from victims over a span of almost five months.

The shady application, uncovered by Check Point, impersonated the bona fide WalletConnect open-source protocol to deceive unsuspecting users into downloading it.

“By leveraging fabricated reviews and a consistent brand image, the application managed to amass over 10,000 downloads by securing a high spot in search results,” the cybersecurity firm mentioned in an examination, marking the first instance of a digital currency drainer explicitly targeting mobile device users.

An estimated 150+ users are thought to have been ensnared by the scheme, although it’s speculated that not every individual who downloaded the application fell prey to the digital currency drainer.

Cybersecurity

The operation entailed the dissemination of a deceitful application that went by multiple monikers such as “Mestox Calculator,” “WalletConnect – DeFi & NFTs,” and “WalletConnect – Airdrop Wallet” (co.median.android.rxqnqb).

Although the application is no longer accessible for download from the official app store, data from SensorTower indicates that it found popularity in Nigeria, Portugal, and Ukraine, and was associated with a developer named UNS LIS.

The developer has also been linked to another Android application dubbed “Uniswap DeFI” (com.lis.uniswapconverter) that remained active on the Play Store for approximately a month between May and June 2023. It is currently unclear if this application harbored any malevolent functionalities.

Deceptive Cryptocurrency Application

Nonetheless, both applications can be acquired from third-party sources, underscoring once again the hazards associated with downloading APK files from alternative platforms.

Upon installation, the bogus WallConnect application is programmed to steer users towards a phony website based on their IP address and User-Agent string, redirecting them a second time to a different site imitating Web3Inbox if the conditions are met.

Individuals failing to meet the specified criteria, such as those accessing the URL from a desktop browser, are redirected to a legitimate site to avoid detection, effectively enabling the cybercriminals to circumvent the application review process on the Play Store.

In addition to implementing measures to deter analysis and debugging, the core element of the malware is a digital currency drainer dubbed MS Drainer, which coerces users to connect their wallet and authorize multiple transactions to validate their wallet.

Deceptive Cryptocurrency Application

The information inputted by the victim at each stage is transmitted to a command-and-control server (cakeserver[.]online) which subsequently responds with instructions to execute malicious transactions on the device and transfer the funds to an address controlled by the attackers.

“Similar to the theft of native cryptocurrency, the deceptive application initially deceives the user into endorsing a transaction in their wallet,” clarified Check Point researchers.

“Through this transaction, the victim grants permission for the attacker’s address 0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF (the ‘Address’ field in the configuration) to transfer the maximum amount of the specified asset (if allowed by its smart contract).”

In the subsequent step, the tokens from the victim’s wallet are transferred to a separate wallet (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1) controlled by the adversaries.

Cybersecurity

This also implies that unless the victim revokes the authorization to withdraw tokens from their wallet, the adversaries can repeatedly siphon off the digital assets as soon as they become available without any further action required.

Check Point disclosed the identification of another malicious application showing identical characteristics “Walletconnect | Web3Inbox” (co.median.android.kaebpq) that was previously present on the Google Play Store in February 2024, accruing over 5,000 downloads.

“This occurrence underscores the increasing complexity of cybercriminal strategies, specifically in the domain of decentralized finance, where users typically depend on third-party utilities and protocols to oversee their digital assets,” the company acknowledged.

“The deceitful application did not rely on conventional attack methods like permissions or keylogging; instead, it employed smart contracts and deep links to quietly drain assets once users were enticed to use the application.”

Found this article intriguing? Follow us on Twitter and LinkedIn to access more exclusive content we publish.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

AndyC 19 December 2025

You may have missed

Amazon Warns Perncious Fake North Korea IT Worker Threat Has Become Widespread

Randall Munroe’s XKCD ‘Fifteen Years’

AndyC 20 December 2025
Why AppSec Can’t Keep Up With AI-Generated Code

Google Shutting Down Dark Web Report Met with Mixed Reactions

AndyC 20 December 2025
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.