Fake WalletConnect (Infostealer) – Malware

Overview

As cryptocurrency continues to grow in popularity, so do the tactics used by cybercriminals to exploit unsuspecting users. One of the most alarming developments in recent months is the rise of sophisticated crypto drainers, malicious applications that target users’ wallets and siphon off their digital assets. These scams often use advanced social engineering and clever manipulation of legitimate protocols to deceive users into downloading malicious software. A striking example of this is the WalletConnect scam, which was uncovered by Check Point Research (CPR) in 2024. This attack marked the first time a drainer had exclusively targeted mobile users by posing as a legitimate cryptocurrency connection tool. By exploiting the trusted reputation of the WalletConnect protocol, attackers managed to evade detection for months and successfully steal thousands of dollars in digital assets from unsuspecting victims.

WalletConnect is an open-source protocol that connects cryptocurrency wallets to decentralized applications (dApps), enabling users to interact with Web3 platforms securely. As a crucial part of the decentralized finance (DeFi) ecosystem, WalletConnect has earned a strong reputation for its security and ease of use. However, cybercriminals took advantage of the general public’s trust in this protocol to create a fake app that mimicked its functionality. By leveraging the familiarity of the WalletConnect name, the attackers were able to trick users into downloading a malicious app from Google Play. The app, which appeared legitimate and even featured positive reviews, quickly rose to the top of search results and amassed over 10,000 downloads. Unbeknownst to the users, this app was designed to steal cryptocurrency from their wallets once they connected.

Targets

Individuals

How they operate

At its core, the scam revolved around the exploitation of the WalletConnect protocol, an open-source solution widely used in the decentralized finance (DeFi) space to securely connect cryptocurrency wallets to decentralized applications (dApps). WalletConnect allows users to interact with dApps without exposing their private keys, which is critical for ensuring secure transactions and interactions in the Web3 ecosystem. However, in this attack, cybercriminals capitalized on the fact that some users struggled with connecting their wallets to Web3 apps, especially when using older versions of wallet software or encountering technical issues.

The attackers behind the WalletConnect scam created a fake application on Google Play that masqueraded as a legitimate version of the WalletConnect tool. The app was designed to mimic the functionality of the actual WalletConnect protocol, allowing users to connect their wallets to dApps. However, the malicious app was intended to steal cryptocurrency rather than facilitate secure connections. Upon downloading the app, users were prompted to connect their cryptocurrency wallets. The attackers then used sophisticated techniques to intercept and redirect the wallet connection process, allowing them to collect the credentials and private keys associated with the users’ wallets.

One of the key technical strategies used in the scam was social engineering. The attackers relied on the public’s trust in WalletConnect as a reputable and secure protocol. To further deceive users, the malicious app employed fake reviews, high ratings, and consistent branding to create the illusion of legitimacy. These tactics helped the app rank highly in Google Play search results, making it more likely that users would download the app when searching for a solution to connection issues with their wallets. In addition, the app’s interface closely resembled the legitimate WalletConnect interface, further tricking users into believing they were using a trusted tool.

Once a user connected their wallet to the malicious app, the attackers used a combination of keylogging, transaction redirection, and other crypto-draining techniques to gain access to the wallet’s funds. The app did not perform any legitimate transactions, but instead quietly siphoned off the funds to a wallet controlled by the attackers. The app remained undetected for several months, which enabled the attackers to steal approximately $70,000 in cryptocurrency from over 150 victims.

The scammers also made use of evasion techniques that helped them stay under the radar. For example, the app may have employed obfuscation methods to hide its true functionality from app store security scans. Additionally, by exploiting the confusion surrounding WalletConnect’s role in connecting wallets to dApps, the scammers were able to trick users into downloading the malicious app in the first place. This method capitalized on common issues that users face when trying to connect their wallets to Web3 apps, making the scam harder to detect and even easier for attackers to exploit.

In conclusion, the WalletConnect scam represents a highly technical and well-executed phishing attack that leverages the confusion surrounding the WalletConnect protocol to target mobile users. By using social engineering tactics, fake reviews, and sophisticated wallet connection interception methods, the attackers were able to defraud cryptocurrency holders of significant amounts of digital assets. The attack highlights the evolving nature of crypto scams, which increasingly employ advanced technical strategies to deceive users. As the cryptocurrency ecosystem continues to grow, it is critical that users stay informed about the latest threats and adopt secure practices to protect their digital assets from these increasingly sophisticated attacks.

References:

• Wallet Scam: A Case Study in Crypto Drainer Tactics