- A fraudulent app called “Mestox Calculator” impersonated WalletConnect on Google Play, deceiving users and stealing over $70,000 from about 150 victims.
- Using tactics like disguising as a calculator and posting fake reviews, the app avoided detection and manipulated user trust for five months.
In a concerning revelation, the crypto community was alerted to a significant security breach involving a fake application on Google Play that masqueraded as WalletConnect, a popular open-source protocol. This malicious app duped more than 150 individuals into losing collectively over $70,000 worth of cryptocurrency. The deception was uncovered by cybersecurity experts at Check Point Research (CPR), who reported that the app was downloaded over 10,000 times before its eventual removal from the platform.
Unveiling the Scam: Mestox Calculator’s Hidden Agenda
The journey of the fake app began on March 21, 2024, when it first appeared on Google Play as “Mestox Calculator.” Over time, it underwent several transformations, with its final guise being a deceptive version of a WalletConnect application. Despite these changes, the app cleverly retained its original URL, which misleadingly pointed to a benign-looking calculator website. This strategic choice allowed the app to bypass Google’s stringent review processes, which would typically vet new applications for security threats.
CPR’s investigation highlighted that the scammers utilized advanced social engineering techniques to build credibility. The app featured fake reviews and professional-looking branding, enhancing its visibility and perceived legitimacy in search results. This manipulation led users to believe they were downloading a genuine crypto tool, further facilitated by the app’s name exploiting the trust associated with the WalletConnect brand.
The Mechanics of Fraud
Upon installation, the app prompted users to connect their crypto wallets and grant various permissions, which seemed routine for crypto-related applications. However, this was a ruse to initiate sophisticated draining techniques that triggered unauthorized transactions. The victims, unaware of the app’s true nature, unwittingly approved these transactions, allowing the fraudsters to directly transfer funds out of their wallets.
Interestingly, the app targeted users based on their IP address and device type. Those who met the criteria were redirected to a backend that harbored the malicious MS Drainer software, which facilitated the fraudulent transactions.