Being the first malware targeting crypto users on the Android platform, the malicious app also evaded security checks for months
Posing as a legitimate open source connectivity tool for decentralized crypto applications, a malicious crypto app on Google Play has been siphoning funds from unsuspecting victims for months.
Called a crypto drainer, this type of malware is often found in phishing websites and apps that mimic legitimate platforms, and once launched, can quickly empty victims’ crypto wallets of their assets.
According to sources, this was the first reported instance of a crypto drainer exclusively targeting mobile device users. Distributed under several names such as “Mestox Calculator” or “WalletConnect – DeFi & NFTs” and “WalletConnect – Airdrop Wallet” (co.median.android.rxqnqb), the crypto drainer had been downloaded at least 10,000 times by users of Google Play and losses have been clocked at approximately US$70k from at least 150 victims.
Modus operandi
For nearly five months, the malicious app had passed through security checks posing as a tool facilitating the WalletConnect protocol, and even remained as a top-ranked offering through fake positive reviews and modern evasion tactics.
Once installed, the app prompted users to connect their wallets, redirecting them to malicious websites and executed unauthorized transactions, draining valuable tokens while avoiding immediate detection. This process was repeated across various blockchain networks, allowing attackers to systematically strip assets from victims.
According to Alexander Chailytko, Manager (Cyber Security, Research & Innovation), Check Point Software Technologies, the firm that disclosed its research on the crypto drainer: “This incident is a wake-up call for the entire digital asset community, as the emergence of the first mobile crypto drainer app on Google Play marks a significant escalation in the tactics used by cybercriminals and the rapidly evolving landscape of cyber threats in decentralized finance… It’s essential that both users and developers stay informed and take proactive measures to secure their digital assets.”
The crypto drainer is no longer available for download, but readers are reminded that apps available on the official Google Play platform are not guaranteed to be safe.
