Crypto Wallet Drainer Posed As Calculator On Google Play Store, Stole $70K: Researchers

Calculators are supposed to be life-savers for people in fast-paced businesses and individuals with poor math skills, but in a twist of fate, bad actors used a "calculator" to steal over $70,000 from over 150 cryptocurrency users.

Researchers from cyber threat intelligence firm Check Point Research (CPR) revealed in a report last week that a malicious app posing initially as a multi-function calculator had been on Google Play Store for several months before it was removed.

From 'Mestox Calculator' to WalletConnect App

Google's Play Store first published the app in March under the name "Mestox Calculator." The exploiters then changed the app's name multiple times before it became "WalletConnect – Crypto Wallet," as per the CPR report.

More than 10,000 people downloaded the app amid fake reviews and consistent branding that helped the app get high up in search results rankings, the researchers said.

The app was "designed to steal cryptocurrency, marking the first time a drainer has targeted mobile device users exclusively," with losses passing $70,000 in cryptocurrencies from over 150 users, the report noted.

How the App Slid Past Google Play Store Verification

The app's initial URL directed users to a website of the "Mestox Calculator" that showed users a "seemingly harmless web application, a multifunctional calculator with many features." CPR researchers noted that it was just a decoy.

Users were then redirected to a different link, depending on certain parameters, including the user's IP address and User-Agent. The tactic allowed the app to pass Google's review process, since automated and manual checks will load the Mestox Calculator.

Furthermore, "all malicious code occurs outside the application," the report said, allowing for the attackers' schemes to be undetected on legitimacy check tools.

A de-obfuscated JavaScript code showed that the malicious app utilized MS Drainer, specifically the app's May 26, 2024, version. MS Drainer is described as "a highly advanced malicious toolkit that represents one of the most sophisticated drainers currently available on the market."

How the Draining Worked

Once the app is launched, users are prompted to connect their wallets. The CPR analysts believe users were drawn to the app due to the belief that the WalletConnect app may function as a proxy to connect their wallets to Web3 applications that only use the WalletConnect protocol.

Users are then prompted to verify their wallet and are asked to sign transactions consecutively. The exploiters then activate the drainer and engage in sophisticated tricks to drain the users' wallets.

Of over 150 victims who lost their digital assets to the malicious app, only 20 individuals wrote negative views on Google Play, as per CPR.

"This incident highlights the growing sophistication of cybercriminal tactics, particularly in the realm of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets," the report reiterated.

The app has since been removed from Google Play Store, but CPR urged crypto users to remain vigilant, especially before downloading new apps that may look harmless at first.