WalletConnect has warned crypto users about a fake app previously available on the Google Play Store.
In a September 29 post on X, the organization behind the open-source protocol that enables secure connections between crypto wallets and decentralized applications (dApps) said the offending app has since been removed from Google Play, but not before it reportedly stole more than $70,000 worth of crypto from unsuspecting users.
Malicious App Targeted Mobile Users
The issue first came to light on September 26 when cybersecurity outfit Check Point Research (CPR) published a lengthy report about it. In its write-up, CPR claimed that the fake app had posed as a legitimate crypto tool, exploiting the trust of the WalletConnect name and going undetected on the Google Play Store for at least five months.
People allegedly downloaded the application more than 10,000 in that period, with more widespread damage being prevented due to many of the downloaders not actually connecting their wallets to the app.
CPR also claimed that other users may not have met the malicious app’s targeting criteria. According to the security firm, the app reacted differently depending on a user’s IP address location and whether they were using a mobile device.
Depending on the IP and the device they were on, users would be redirected to the app’s back-end, which contained the MS Drainer software.
The offending app became available on the Google Play Store on March 21, 2024, as “Mestox Calculator.” It then underwent several changes before its final iteration as a WalletConnect application.
Interestingly, despite the name changes, the app’s URL still pointed to what looked like a harmless website with a calculator. This technique reportedly allowed the app’s publishers to pass Google’s review process since any checks would simply load the calculator.
CPR also noted that the app used advanced social engineering tactics, including fake reviews and branding, to increase its visibility in search results. This made many unwitting victims believe it was legitimate.
150 People Fell Victim to the Scam
Once downloaded, the fake app guided users to connect their crypto wallets and to grant several permissions, after which its creators used sophisticated draining techniques to trigger fraudulent transactions. Unknowing users then approved the transactions, allowing the scammers to siphon funds directly from their wallets.
Per the CPR report, about 150 users fell victim to the scam, losing crypto worth more than $70,000 between them.
On its part WalletConnect has reminded users that there is no official WalletConnect app and that they should stay vigilant against such scams, even as it works to prevent similar occurrences in the future.