A fraudulent app named WalletConnect infiltrated the Google Play Store, targeting web3 users by mimicking a legitimate open-source protocol designed for connecting decentralized applications and crypto wallets. Security researchers at Check Point Research (CPR) discovered that the attackers deliberately named the app to confuse users, as it closely resembled the real WalletConnect protocol. The app even featured the authentic WalletConnect logo.
The scammers capitalized on existing issues with the legitimate WalletConnect protocol, such as its lack of universal support among popular crypto wallets, marketing their fake app as a solution. With no official WalletConnect app available in the Play Store, it attracted over 10,000 downloads, making it an easy target.
While thankfully not all users were scammed, CPR identified over 150 verified transaction addresses linked to the app, indicating that many had fallen victim to the scheme. Upon installation, users were prompted to link their cryptocurrency wallets, believing they were accessing a trustworthy service.
Once connected, the app misled victims into authorizing transactions while redirecting them to a malicious website that collected sensitive wallet information. The attackers used smart contracts to transfer tokens from the victims’ wallets, even swapping valuable cryptocurrencies for less valuable ones, ultimately stealing around $70,000 in crypto.
Remarkably, only 20 users left negative reviews on the Play Store, allowing the scammers to flood the app with positive feedback, which obscured its fraudulent nature. The app launched in March and remained available for five months before being removed by Google. This incident marks a troubling trend, as it represents the first known case of a “crypto drainer” specifically targeting mobile users.
