Fake WalletConnect App Discovered on Google Play Store
Security experts from Check Point have discovered a fake app posing as the crypto project WalletConnect in the official Google Play Store. This malicious app was designed to steal cryptocurrency from users. It was available for about five months and accumulated over 10,000 downloads during that time.
The malicious app used the name WallConnect and claimed to be a Web3 tool that could act as a proxy between cryptocurrency wallets and decentralized applications (dApps). The real WalletConnect project is an open-source crypto bridge protocol designed for this purpose, although it has some limitations since not all wallets support it.
“Given all the complexities with WalletConnect, an inexperienced user might conclude that it’s a standalone wallet app that needs to be downloaded and installed. Attackers exploit this confusion, hoping users will search for a WalletConnect app in the app store,” the researchers explained.
The fake app (co.median.android.rxqnqb) first appeared on Google Play in March of this year under the name Mestox Calculator, imitating the open-source project CalcDiverse. The app’s name changed several times, and it quickly boosted its rating with fake user reviews, attracting more attention and potential victims.
The malicious app was created using the median.co service, which allows websites to be converted into Android or iOS apps. As a result, WallConnect essentially functioned as a browser that opened a specified website.
After installation, WallConnect directed users to a malicious website mimicking Web3Inbox, where they were prompted to authorize several transactions. This led to the theft of confidential information about their crypto wallets and digital assets.
If users were located in certain countries (determined by IP address) and if the HTTP User-Agent did not match that of a mobile device, victims were redirected to a legitimate resource instead.
Attack Scheme and Malware Details
Upon analyzing the malware’s code, researchers identified it as MS Drainer—one of the most advanced malicious toolkits for stealing cryptocurrency currently available on the black market. The malware supports a wide range of EVM blockchains, including Ethereum, BNB Smart Chain, Polygon, Avalanche, Arbitrum, Fantom, and Optimism.
MS Drainer’s standout feature is its asset detection capabilities. The malware uses trusted providers such as DeBank, Ankr, Zapper, and OpenSea to scan users’ wallets for valuable assets. MS Drainer then automatically withdraws these assets, prioritizing more expensive tokens before stealing less valuable ones.
During the five months the app was available on the official Android store, it reached 10,000 downloads. Analysts report that at least 150 victims suffered losses from WallConnect, losing digital assets worth over $70,000 in cryptocurrency. However, only 20 people left negative reviews about the app on Google Play.
Given the discrepancy between the number of victims and the number of downloads, researchers believe the malware operators may have artificially inflated the app’s download count.
The fake WallConnect app has now been removed from the Google Play Store.