Crypto Scam App Disguised as WalletConnect Steals $70K in Five-Month Campaign

Summary:
Check Point Research uncovered a recent mobile malware campaign exclusively targeting cryptocurrency users through a malicious Android app disguised as the legitimate WalletConnect protocol, taking advantage of its trusted name. This fake app, identified by Check Point, employed various evasion techniques including BASE64 encoding and encryption to avoid detection, deceive users, and steal their crypto assets. It achieved high visibility in Google Play Store search results through fake reviews and consistent branding, leading to over 10,000 downloads. Another malware app identified by Check Point exhibits similar features and achieved more than 5,000 downloads. Once the fake app is installed, it checks if the user isn’t on a desktop, taking users to a legitimate website if they are, and then drops the MS Drainer and prompts the user to sign several transactions. The information is transmitted to a C2 server and it sends commands to MS Drainer to transfer funds to the attacker’s wallet. This campaign is notable because it represents the first instance of a cryptocurrency drainer focusing exclusively on mobile device users. While the exact number of victims is unknown, over 150 users are estimated to have lost funds.

Security Officer Comments:
This incident underscores the evolving strategies of cybercriminals targeting the decentralized finance (DeFi) space. DeFi users often rely on third-party tools and protocols for managing their digital assets, making them a vulnerable target of supply chain attacks and phishing attempts. As mobile financial technology evolves, cybercriminals continue to find new ways to exploit it, including taking advantage of the trust placed in well-known app stores. The campaign underscores the security risks associated with downloading applications – even from official app stores because of the large attack surface exposed by seemingly reliable app stores.

The use of fake reviews and social engineering techniques demonstrates the adversary's access to resources and the importance of user vigilance. Further, the malware's ability to bypass detection mechanisms highlights the need for robust app review processes from these well-known stores. The presence of a secondary malicious app ("Walletconnect | Web3Inbox") suggests a broader campaign targeting DeFi users with multiple instances of masquerading mobile malware. This incident serves as a reminder for users to revoke unnecessary permissions granted to applications within their cryptocurrency wallets.

Suggested Corrections:
IOCs for this campaign are published here.

  • Keep your software updated: Only 20 percent of Android devices are running the newest version and only 2.3 percent are on the latest release. Everything from your operating system to your social network apps are potential gateways for hackers to compromise your mobile device. Keeping software up to date ensures the best protection against most mobile security threats.
  • Choose mobile security: Just like computers, your mobile devices also need internet security. Make sure to select mobile security software from a trusted provider and keep it up to date.
  • Install a firewall: Most mobile phones do not come with any kind of firewall protection. Installing a firewall provides you with much stronger protection against digital threats and allows you to safeguard your online privacy.
  • Always use a passcode on your phone: Remember that loss or physical theft of your mobile device can also compromise your information.Download apps from official app stores.
  • Both the Google Play and Apple App stores vet the apps they sell: third-party app stores don’t always. Buying from well-known app stores may not ensure you never get a bad app, but it can help reduce your risk.
  • Always read the end-user agreement: Before installing an app, read the fine print. Grayware purveyors rely on your not reading their terms of service and allowing their malicious software onto your device.

Recommendations from Check Point Research
To stay protected, users must remain vigilant and wary of the applications they download, even when they appear legitimate. Additionally, app stores must strengthen their verification processes to prevent such malicious apps from slipping through the cracks. The crypto community needs to continue to educate users about the risks associated with Web3 technologies and the importance of scrutiny when managing their digital assets. This case illustrates that even seemingly innocuous interactions can lead to significant financial losses.

Link(s):
https://thehackernews.com/2024/09/crypto-scam-app-disguised-as.html

https://research.checkpoint.com/2024/wallet-scam-a-case-study-in-crypto-drainer-tactics/