IT security firm Check Point Research has uncovered a crypto wallet drainer on the Google Play store that used “advanced evasion techniques” to steal more than $70,000 in five months.

The malicious app disguised itself as the WalletConnect protocol, a well-known app in the crypto space that can link a variety of crypto wallets to decentralized finance (DeFi) applications.

The security company said in a Sept. 26 blog post that it marked “the first time drainers exclusively targeted mobile users.”

It added: “Fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results.”

More than 150 users were scammed out of about $70,000. Not all app users were affected, as some either didn’t connect a wallet or recognized it was a scam. Others “may not have met the malware’s specific targeting criteria,” Check Point Research said.

Some of the fake reviews on the spoofed WalletConnect app mentioned features that had nothing to do with crypto. Source: Check Point Research

It added that the fake app was made available on Google’s app store on March 21 and used “advanced evasion techniques” to remain undetected for more than five months. It has now been removed.

The app was first published under the name “Mestox Calculator” and was changed several times, though its application URL still pointed to a seemingly harmless website with a calculator. 

“This technique allows attackers to pass the app review process in Google Play, as automated and manual checks will load the ‘harmless’ calculator application,” the researchers said. 

Depending on the user’s IP address location and if they were using a mobile device, some were redirected to the malicious app back-end that housed the wallet-draining software MS Drainer.

A diagram of how the fake WalletConnect app worked to drain certain user funds. Source: Check Point Research

Much like other scams designed to drain wallets, the fake app prompted users to connect their wallets — a request that wouldn’t seem suspicious given how the legitimate app operates.

Users were then asked to accept various permissions to “verify their wallet,” which grants permission for the attacker’s address “to transfer the maximum amount of the specified asset,” Check Point Research said.

Related: Polymarket users complain of mysterious Google login wallet attacks

“The application retrieves the value of all assets in the victim’s wallets. It first attempts to withdraw the more expensive tokens, followed by the cheaper ones,” it added.

“This incident highlights the growing sophistication of cybercriminal tactics,” Check Point Research wrote. “The malicious app did not rely on traditional attack vectors like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were tricked into using the app.”

It added that users must be “wary of the applications they download, even when they appear legitimate,” and that app stores must improve their verification process to stop malicious apps.

“The crypto community needs to continue to educate users about the risks associated with Web3 technologies,” the researchers said. “This case illustrates that even seemingly innocuous interactions can lead to significant financial losses.”

Google did not immediately respond to a request for comment.

Crypto-Sec: 2 auditors miss $27M Penpie flaw, Pythia’s ‘claim rewards’ bug