Blog Details

  • Home
  • Blog
  • Malicious Android App Drains $70,000 in Crypto from Over 150 Victims
Malicious Android App Drains $70,000 in Crypto from Over 150 Victims

Malicious Android App Drains $70,000 in Crypto from Over 150 Victims

Cybersecurity researchers have uncovered a malicious Android app that was available on the Google Play Store, allowing threat actors to steal approximately $70,000 in cryptocurrency from victims over nearly five months.

The app, identified by Check Point, posed as the legitimate WalletConnect open-source protocol, deceiving users into downloading it.

"Fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results," said the cybersecurity company in its analysis. They added that it's the first time a cryptocurrency drainer has specifically targeted mobile device users.

An estimated 150 users fell victim to the scam, though not all users who downloaded the app were necessarily impacted.

The campaign distributed the app under various names, including "Mestox Calculator," "WalletConnect - DeFi & NFTs," and "WalletConnect - Airdrop Wallet" (co.median.android.rxqnqb).

Although the app is no longer available on the official Google Play Store, SensorTower data shows it gained popularity in Nigeria, Portugal, and Ukraine. The app was linked to a developer named UNS LIS, who was also associated with another app called "Uniswap DeFI" (com.lis.uniswapconverter), which was active on the Play Store between May and June 2023. It's unclear if the Uniswap DeFI app contained any malicious features.

Crypto Scam App

Both apps remain available on third-party app stores, underscoring the risks of downloading APK files from unofficial marketplaces.

Once installed, the fake WalletConnect app redirects users to a fake website, determined by their IP address and User-Agent string. If conditions are met, users are further redirected to a website mimicking Web3Inbox.

Those who don't meet the criteria, such as users accessing the site from a desktop browser, are sent to a legitimate website to avoid detection, helping threat actors bypass Google Play's app review process.

In addition to evading analysis, the app's core feature was a cryptocurrency drainer called MS Drainer, which tricked users into connecting their wallets and signing transactions to "verify" their wallets.

The information entered by the victim is sent to a command-and-control server (cakeserver[.]online), which responds with instructions to execute malicious transactions, transferring funds to the attackers' wallet.

Check Point researchers explained, "The malicious app tricks users into signing a transaction in their wallet. This grants permission for the attacker's address (0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF) to transfer the maximum amount of the specified asset, as allowed by its smart contract."

Next, the tokens from the victim's wallet are transferred to another wallet (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1) controlled by the attackers.

If victims don’t revoke the permission, the attackers can continue draining the digital assets without further input from the user.

Check Point also identified another malicious app, "Walletconnect | Web3Inbox" (co.median.android.kaebpq), which was available on Google Play Store in February 2024 and had more than 5,000 downloads.

"This incident underscores the increasing sophistication of cybercriminal tactics, particularly in decentralized finance (DeFi), where users often rely on third-party tools and protocols to manage their digital assets," Check Point said.

"The malicious app didn’t rely on typical attack methods like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were deceived into using the app."

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067