An app on Google Play was discovered stealing cryptocurrency from users, employing advanced social engineering and trusted protocols. Check Point Research exposed the app after it had siphoned $70,000, deceiving over 150 victims. The attackers used the Walletconnect protocol to appear legitimate, manipulating Google search rankings and avoiding detection through encryption and obfuscation techniques.
Malicious App on Google Play Steals Cryptocurrency Using Walletconnect Protocol
Cybersecurity firm Check Point Research (CPR) shared on Thursday that it has “uncovered a malicious app on Google Play designed to steal cryptocurrency marking the first time a drainer has targeted mobile device users exclusively. ”
The app, which remained active for nearly five months, exploited the trusted Walletconnect protocol and tricked users through fake branding and social engineering tactics. The cybersecurity firm detailed that before the app was removed from Google Play:
It managed to victimize over 150 users, resulting in losses exceeding $70,000.
The attackers used the Walletconnect name to appear legitimate, achieving over 10,000 downloads by manipulating search rankings and using fake reviews. According to CPR, “Advanced social engineering” played a crucial role in deceiving users into downloading the app and connecting their cryptocurrency wallets. Once users interacted with the app, it prompted them to sign malicious transactions, allowing attackers to drain their digital assets silently.
The report mentioned, “Not all of the users who downloaded the drainer were affected,” adding:
Some didn’t complete the wallet connection, others recognized suspicious activity and secured their assets, and some may not have met the malware’s specific targeting criteria.
Further analysis by CPR revealed that the app avoided detection using sophisticated obfuscation techniques and anti-analysis methods, even bypassing Google Play’s security checks. The attackers used advanced redirection and encryption tactics to mask their true intentions. The app relied heavily on external malicious scripts, complicating detection and allowing attackers to remain hidden. CPR emphasized, “This incident highlights the growing sophistication of cybercriminal tactics,” especially in decentralized finance, where users often rely on third-party protocols to manage digital assets.
