A crypto wallet drainer that employed “advanced evasion techniques” was discovered on the Google Play store, stealing over $70,000 from more than 150 users over a five-month period.
According to IT security firm Check Point Research, the malicious app masqueraded as WalletConnect, a legitimate app in the crypto space used to link crypto wallets to decentralized finance (DeFi) applications.
Check Point Research revealed that this was the first time mobile users were exclusively targeted by a crypto wallet drainer. The app was able to evade detection on the Google Play store for months thanks to fake reviews and branding that helped it rank high in search results, achieving over 10,000 downloads.
Though over 150 users fell victim to the scam, some users were unaffected because they either did not connect a wallet or recognized the app as fraudulent. Others may not have met the specific targeting criteria of the malware.
Advanced techniques fooled Google Play’s review process
The app was first listed on Google Play as “Mestox Calculator” and frequently changed names, while its URL pointed to a harmless calculator website. This tactic allowed the app to pass both automated and manual review processes, as only the benign calculator was visible during checks. Once downloaded, depending on the user’s IP address and whether they were on a mobile device, the app redirected them to a malicious backend housing the wallet-draining software known as MS Drainer.
Users who downloaded the app were prompted to connect their wallets, which appeared legitimate given the similarity to the real WalletConnect app. The fake app then requested permissions to “verify their wallet,” granting the attacker’s address permission to transfer the maximum amount of assets from the user’s wallet.
Check Point Research clarified that this app used advanced methods, relying on smart contracts and deep links to silently drain assets, rather than traditional attack methods like permissions or keylogging. The app first targeted the most valuable tokens in users’ wallets, then moved on to the lesser ones.