Security researchers have identified the first instance of mobile crypto drainer malware targeting users through an app on Google Play. Check Point Research (CPR) reported that the WalletConnect app collected over 10,000 downloads and was responsible for stealing approximately $70,000 in cryptocurrency from unsuspecting victims before Google took it down.

Malware’s Deceptive Design

Originally uploaded in March 2024, the fraudulent app was designed to impersonate the legitimate Web3 open-source protocol WalletConnect and managed to avoid detection for five months. The malware employed sophisticated techniques such as redirects and user-agent checking to bypass both automated systems and manual scrutiny.

WalletConnect is intended to facilitate connections between decentralised applications and crypto wallets. However, many users encounter difficulties, as not all wallets are compatible, and some do not have the latest version. Attackers cleverly exploited these complications by offering a deceptive solution through the fake WalletConnect app on Google Play.

How the Scam Works

Upon downloading the malicious application, victims are prompted to connect their crypto wallet, which secretly directs them to a harmful website. “Users then must verify the selected wallet and are asked to authorise several transactions,” explained CPR. The malware communicates with a command-and-control (C&C) server, retrieving sensitive details about the victim’s wallet, blockchain networks, and addresses.

Notably, the malware was designed to withdraw higher-value crypto tokens first before targeting other assets across various blockchain networks. Alarmingly, only 20 users who lost funds left negative reviews on Google Play, indicating that many victims may remain unaware of the theft.

When the app received negative feedback, the developers reportedly inundated the page with fake positive reviews to mislead potential victims. Google Play has since removed the fraudulent application following its discovery.