News: 1727359689

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Victims lose $70k to one single wallet-draining app on Google's Play Store

(2024/09/26)


The latest in a long line of cryptocurrency wallet-draining attacks has stolen $70,000 from people who downloaded a dodgy app in a single campaign researchers describe as a world-first.

A fraudulent app targeted web3 users on Google's Play Store, piggybacking on the name and reputation of the legitimate WalletConnect protocol, which is used for connecting decentralized applications and wallets. It also doesn't have an official app on the Play Store.

Of the total 150 or so victims of the app, CPR noted that only 20 bothered to leave a negative review on the Play Store...

Investigators at Check Point Research (CPR) said the app, which is called WalletConnect and used the open source project's official logo in the app tile image, is the first drainer of its kind to target mobile users exclusively.

We can help you

The attackers behind the app clearly knew their market well. They understood that common issues encountered by those who use the real WalletConnect protocol include version compatibility and the lack of universal support for the protocol by commonly used wallets.

The fraudulent app marketed itself as an easy solution to these problems, CPR said, and without an official app on the Play Store, combined with the flurry of fake reviews speaking to its effectiveness, it was poised to fool a fair few users. More than 10,000 of them, in fact.

That's not to say each of those downloads led to them being victimized. Far from it, in reality. CPR verified transactions linked to more than 150 addresses, suggesting that was the number of individuals who had their wallets raided.

[1]

Once the app was downloaded, victims were prompted to link their wallets filled with cryptocurrencies, under the assumption that it was trustworthy and would allow smoother, secure access to supported web3 applications.

[2]

Infographic representation of the attack chain - courtesy of Check Point Research - Click to enlarge

They were then instructed to authorize various transactions after selecting their wallet. Selecting the wallet triggered the app to direct the victim to a malicious website that would capture details about the wallet itself, the blockchain, and known addresses.

Exploiting the [3]mechanics of smart contracts allowed the attackers to authorize transfers of tokens from the victim's wallet into their own prioritizing the transfer of more valuable cryptocurrency tokens over the less valuable kinds.

[4]

[5]

Of the total 150 or so victims of the app, CPR noted that only 20 bothered to leave a negative review on the Play Store – apathy that allowed the miscreants behind it the chance to post ample fake positive reviews, drowning out the victims' voices.

Launched in March, the app's true purpose wasn't detected by the powers that be until five months later, at which point it was promptly removed from the Play Store.

[6]

Alexander Chailytko, cybersecurity, research, and innovation manager at CPR, said: "This incident is a wake-up call for the entire digital asset community as the emergence of the first mobile crypto drainer app on Google Play marks a significant escalation in the tactics used by cybercriminals and the rapidly evolving landscape of cyber threats in decentralized finance.

"This research highlights the critical need for advanced, AI-driven security solutions that can detect and prevent such sophisticated threats. It's essential that both users and developers stay informed and take proactive measures to secure their digital assets."

Despite Google claiming to have a rigorous vetting process before apps become available to Android users, we still regularly hear about naughty ones [7]making their way onto devices .

[8]

The ability to side-load apps onto Android phones plays a big role in this though.

[9]Crypto wallet providers urged to rethink security as criminals drain them of millions

[10]This legit Android app turned into mic-snooping malware – and Google missed it

[11]Necro malware continues to haunt side-loaders of dodgy Android mods

[12]US may exempt latest chip fabs from eco red-tape, but power is still a trip

Just this week, in fact, Kaspersky exposed [13]a campaign that saw 11 million Android users, by its estimations, download applications secretly loaded with Necro malware which stole money from users via phony subscription charges.#

Responding to the findings, a Google spokesperson said: "All of the malicious versions of the apps identified by this report were removed from Google Play prior to report publication.

"Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play." ®

Get our [14]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZvWFIyNOTMolAxtMZcgTYgAAAUA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://regmedia.co.uk/2024/09/26/check_point_wallet_drain_diagram.jpg

[3] https://www.theregister.com/2024/03/19/crypto_wallet_providers_urged_to/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvWFIyNOTMolAxtMZcgTYgAAAUA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvWFIyNOTMolAxtMZcgTYgAAAUA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvWFIyNOTMolAxtMZcgTYgAAAUA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2023/05/24/a_legit_android_app_turned/

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvWFIyNOTMolAxtMZcgTYgAAAUA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://www.theregister.com/2024/03/19/crypto_wallet_providers_urged_to/

[10] https://www.theregister.com/2023/05/24/a_legit_android_app_turned/

[11] https://www.theregister.com/2024/09/23/necro_malware_android/

[12] https://www.theregister.com/2024/09/25/chip_fabs_us_power/

[13] https://www.theregister.com/2024/09/23/necro_malware_android/

[14] https://whitepapers.theregister.com/



LOL

Anonymous Coward

We end up with a Russian company to protect us from Google malware house. because goog got paid and does'nt care if there is malware there, unless 'to many" people complain.

I have no pity for anyone that gets ripped off from a goog app. They would know better with a little research.

Goog play store is the biggest distributor of more malware than any other single source, for at least the last 8 years. Trust is earned not given.

Thank you K, at least someone is doing good in the world.

Blackjack

web3: We Embezzle Bonds X3!

"In finance, a bond is a type of security under which the issuer (debtor) owes the holder (creditor) a debt, and is obliged – depending on the terms – to provide cash flow to the creditor (e.g. repay the principal (i.e. amount borrowed) of the bond at the maturity date as well as interest (called the coupon) over a specified amount of time)" - Bond (finance) Wikipedia

"This research highlights the critical need for..."

Yorick Hunt

... People to stop being sheep and clicking on everything that's offered to them.

You want to do something secure on your 'phone, use your web browser ( not Chrome!). If you absolutely can't live without an app (which, bear in mind, has a massive target painted on its back to alert miscreants to its presence), download the app through a link on your financial platform's web site.

highlights the critical need for advanced, AI-driven security solutions

Howard Sway

Kind of figures that people who fell for the crypto bullshit have now decided to put their faith in the AI bullshit to save them.

J. Cook

:: insert sound clip of The Heavy from Team Fortress 2 saying "CRY SOME MORE!!" ::

Exploiting the mechanics of smart contracts allowed the attackers to authorize transfers

Jimmy2Cows

Thought "smart contracts" were supposed to prevent exactly these kinds of shenanigans, not be an enabler.

Yebbut...

Anonymous Coward

Yebbut surely the Play Store strictly checks and verifies the identities of developers before apps are allowed to be uploaded, so it will be simple for the authorities to find out who developed and uploaded the app, won't it?

(Warning: sarcasm alert - perhaps the EU campaigning to force Apple to change its store terms may take notice)

This bag is recyclable.