September 28, 2024Ravie Lakshmanan Cryptocurrency / Mobile Security
Cybersecurity researchers have discovered a malicious Android app on the Google Play Store. This allowed the attackers behind it to steal approximately $70,000 in cryptocurrency from victims over nearly five months.
This dangerous app, identified by Check Point, masqueraded as the legitimate WalletConnect open-source protocol to trick unsuspecting users into downloading it.
“Fake reviews and consistent branding allowed the app to rank high in search results and achieve over 10,000 downloads,” the cybersecurity firm said in an analysis, adding that cryptocurrency leakers were able to He added that this is the first time that he has targeted only
It is estimated that over 150 users were affected by this scam, but it is believed that not all users who downloaded the app were affected by the cryptocurrency leak.
The campaign included the distribution of fraudulent apps with names such as “Mestox Calculator,” “WalletConnect – DeFi & NFT,” and “WalletConnect – Airdrop Wallet” (co.median.android.rxqnqb) .
The app is no longer available for download from the official app marketplace, but according to SensorTower data, it was popular in Nigeria, Portugal, and Ukraine, and was linked to a developer named UNS LIS.
The developer is also behind another Android app called “Uniswap DeFI” (com.lis.uniswapconverter), which was active on the Play Store for about a month from May to June 2023. It remained untouched. It is currently unknown whether the app had any malicious functionality. .
However, both apps can be downloaded from third-party app store sources, again highlighting the risks posed by downloading APK files from other marketplaces.
Once installed, the fake WallConnect app is designed to redirect users to a fake website based on their IP address and user agent string, then redirect them back to another site imitating Web3Inbox. Masu.
Users who do not meet the required criteria, such as those accessing the URL from a desktop web browser, are directed to legitimate websites to avoid detection, effectively allowing threat actors to bypass the Play Store’s app review process. It will be.
In addition to taking steps to prevent analysis and debugging, a central component of the malware is a cryptocurrency draining tool known as MS Drainer, which allows users to connect to their wallets and verify them. prompt you to sign some transactions.
At each step, the information entered by the victim is sent to a command and control server (cakeserver(.)online) that triggers malicious transactions on the device and responds with instructions to transfer funds. I’ll send it back. Attacker’s wallet address.
“Similar to native cryptocurrency theft, malicious apps first trick users into signing transactions in their wallets,” Check Point researchers said.
“Through this transaction, the victim grants the attacker’s address 0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF (the “Address” field in the configuration) permission to transfer the maximum amount of the specified asset (if allowed by the smart contract).
In the next step, the tokens from the victim’s wallet are transferred to another wallet (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1) controlled by the attacker.
This also means that if the victim does not revoke permission to withdraw tokens from the wallet, the attacker can continue to withdraw digital assets as soon as they appear, without requiring any additional action.
Check Point said it has also identified another malicious app, Walletconnect | Web3Inbox (co.median.android.kaebpq), that exhibits similar functionality. The app was previously available on the Google Play Store in February 2024 and has garnered over 5,000 downloads.
“This incident highlights the increasing sophistication of cybercriminal tactics, particularly in the field of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets. ‘, the company pointed out.
“Malicious apps did not rely on traditional attack vectors like permissions or keylogging. Instead, they used smart contracts and deep links to silently attack users once they were tricked into using the app. We lost our assets.”
Did you find this article interesting? Follow us Twitter ○ You can read more exclusive content from us on LinkedIn.
Source link
