Another crypto theft app ran for months on Google Play

Another crypto theft app ran for months on Google Play

A recent incident once again highlights how sophisticated cybercriminals' tools have become, as more than 10,000 users downloaded a fraudulent app.

Scammers pocket $70,000 in 5 months

Another warning case has emerged, showing the advanced tools cybercriminals use: Check Point Research, a security firm, uncovered a malicious app designed to drain cryptocurrency wallets on the Google Play Store. Over the course of five months, the app stole more than $70,000.

The app employed advanced evasion techniques to remain unnoticed for a long time and tricked over 10,000 users into downloading it.

The app mimicked a legitimate protocol

The fraudulent application impersonated the popular WalletConnect protocol, widely used in the crypto world to connect wallets with decentralized finance (DeFi) applications. The disguise was so convincing that more than 150 users fell victim to the scam, collectively losing around $70,000 in cryptocurrency.

Image

At first glance, the app seemed completely legitimate

In a blog post on September 26, Check Point Research highlighted that this was the first known case of a program specifically targeting mobile users. The attackers used tactics like fake reviews and consistent branding to help the malicious app rank high in Google Play search results.

The scam app, released under the name "Mestox Calculator," was repeatedly rebranded, with its URL linking to an innocent-looking calculator, tricking Google's review systems.

After successfully bypassing Google Play's verification process, the app remained available for over five months before Google removed it. In reality, it contained a wallet-draining program called "MS Drainer," which silently installed in the background based on the user’s IP address and device.

How the app operated

The app tricked users into connecting their crypto wallets and requested permissions that gave attackers full access to their funds. Check Point Research noted that the app used smart contracts and deep links, which discreetly siphoned off money from the wallets without raising the user’s suspicion. It initially targeted the most valuable tokens, then moved on to cheaper ones.

Cybercriminals in the crypto world never sleep

This incident shows just how creative and cunning cybercriminals can be, employing increasingly sophisticated techniques. Researchers warn that even apps that seem completely legitimate at first glance can pose serious threats.

They emphasized that users need to be extremely cautious, and app stores should improve their verification mechanisms to prevent similar cases in the future.