Something of an interesting week for Android users ends with more bad news. Coming fast behind Necro, a dangerous trojan hiding inside Play Store, we now have another threat that has beaten Google’s defenses and tricked users into putting themselves, their devices and—in this instance—their crypto at risk.
Check Point Research warns this is “a wake-up call for the entire digital asset community,” having discovered Play Store’s first crypto drainer targeting just mobile users. This “significant escalation in the tactics used by cybercriminals,” they say, marks “the rapidly evolving landscape of cyber threats in decentralized finance.” The app has now been deleted from Play Store, but the warning remains very real.
As we saw with Necro, this latest threat deploys “modern evasion techniques to avoid detection,” which alarmingly seem to have given it a five-month run on Play Store. This specific app was fairly specialist, pretending to simplify the use of the Web3 WalletConnect protocol, which connects decentralized apps and user wallets.
“Not all wallets support WalletConnect,” Check Point explains. “Cleverly, attackers exploited the complications of WalletConnect and tricked users into thinking that there was an easy solution—the falsified WalletConnect app on Google Play.”
The malicious app first hit the Play Store in March this year, and was installed at least 10,000 times stealing at least $70,000. As ever, what we don’t know is the level of activity outside Play Store, but the very specific nature of this campaign is a positive as once users understand the threats, they can’t be tricked again—one would hope. While the current numbers are modest, this is a first. You can expect more of this to come, and so the warning to avoid connecting unverified apps to wallets is stark.
Any malicious app that connects to digital wallets as a core function is starting well ahead of the line and is likely to be effective quickly. “The malicious app activates the chosen wallet,” Check Point says, “and directs it to a malicious website. Users then must verify the selected wallet and are asked to authorize several transactions.”
Each user action triggered communications to the command and control server driving the app, “retrieving details about the user’s wallet, blockchain networks, and addresses.” Check Point says the app withdrew “more expensive tokens before targeting less expensive ones,” ensuring that the most valuable assets were stolen as quickly as possible, in case the app was discovered and stopped.
Thus far, the number of identified victims is limited, albeit there were less negative Play Store reviews than known instances, which is surprising. The app has obviously now been removed and it’s certain that Play Protect has been primed in case there’s a next time. I have asked Google for any additional comments on Check Point’s report.
Check Point says the lure of “decentralized finance,” drives “increasing sophistication of cybercriminal tactics.” More worryingly, “conventional tools like Google Search, Shodan, and automated checks often fail to identify such threats… This makes it nearly impossible for automated systems and manual searches to detect them.”
Android 15 is due next month—at least for some users, with a raft of new security updates; meantime Play Store has promised to cull low-quality apps. Both these measures plus the ongoing scanning enhancements before apps make it onto the store need to do a better job of keeping such threats at bay.
