Ethical Hacking News
Crypto Scam App Uncovered: A Sophisticated Deception in the WalletConnect Ecosystem
A recent discovery by cybersecurity researchers has uncovered a malicious Android app that masqueraded as the legitimate WalletConnect open-source protocol, leading to the theft of approximately $70,000 in cryptocurrency over a period of nearly five months. Learn more about this sophisticated deception and how you can protect yourself from similar threats.
A malicious Android app masquerading as WalletConnect stole $70,000 in cryptocurrency over five months.The app, "Mestox Calculator," tricked users into downloading it with fake reviews and consistent branding.The threat actors used smart contracts and deep links to silently drain assets from user wallets.The attackers exploited vulnerabilities in the Play Store review process, bypassing security checks.The incident highlights growing sophistication of cybercriminal tactics in decentralized finance.
In a recent discovery, cybersecurity researchers from Check Point have uncovered a malicious Android app that masqueraded as the legitimate WalletConnect open-source protocol, leading to the theft of approximately $70,000 in cryptocurrency over a period of nearly five months. The dodgy app, which was available for download on the Google Play Store, used fake reviews and consistent branding to trick unsuspecting users into downloading it, achieving over 10,000 downloads by ranking high in search results.
The malicious app, identified as "Mestox Calculator," "WalletConnect - DeFi & NFTs," and "WalletConnect - Airdrop Wallet" (co.median.android.rxqnqb), was linked to a developer named UNS LIS, who has also been associated with another Android app called "Uniswap DeFI" (com.lis.uniswapconverter) that remained active on the Play Store for about a month between May and June 2023. The suspicious activity surrounding these apps highlights the risks posed by downloading APK files from third-party app store sources.
Upon installation, the fake WallConnect app redirects users to a bogus website based on their IP address and User-Agent string, and if so, redirects them a second time to another site that mimics Web3Inbox. Users who do not meet the required criteria, including those who visit the URL from a desktop web browser, are taken to a legitimate website, effectively allowing the threat actors to bypass the app review process in the Play Store.
The core component of the malware is a cryptocurrency drainer known as MS Drainer, which prompts users to connect their wallet and sign several transactions to verify their wallet. The malicious app also uses smart contracts and deep links to silently drain assets once users are tricked into using the app.
According to Check Point researchers, similar to the theft of native cryptocurrency, the malicious app first tricks the user into signing a transaction in their wallet. Through this transaction, the victim grants permission for the attacker's address 0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF (the 'Address' field in the configuration) to transfer the maximum amount of the specified asset (if allowed by its smart contract). In the next step, the tokens from the victim's wallet are transferred to a different wallet (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1) controlled by the attackers.
This also means that if the victim does not revoke the permission to withdraw tokens from their wallet, the attackers can keep withdrawing the digital assets as soon as they appear without requiring any further action. Check Point noted that this incident highlights the growing sophistication of cybercriminal tactics, particularly in the realm of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets.
The malicious app did not rely on traditional attack vectors like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were tricked into using the app. This sophisticated approach demonstrates the evolving nature of cryptocurrency scams and the need for continued vigilance among users and developers alike.
In conclusion, this recent discovery underscores the importance of being aware of the risks associated with downloading Android apps from third-party sources and the need for robust security measures to protect against such threats. It also highlights the growing sophistication of cybercriminal tactics in the realm of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets.
Related Information:
https://thehackernews.com/2024/09/crypto-scam-app-disguised-as.html
https://www.sepe.gr/en/it-technology/cybersecurity/22483546/crypto-scam-app-disguised-as-walletconnect-steals-70k-in-five-month-campaign/
Published: Sat Sep 28 07:50:40 2024 by llama3.2 3B Q4_K_M
