An application for a “fake wallet” on Google Play is reported to have just recently extorted more than 10,000 people out of their cryptocurrencies, amounting to close to $70,000. This one, named WalletConnect, imitated the trusted WalletConnect protocol but was an attempt at scurvy targeting digital wallets from its users. It is reportedly one of the first big attempts at stealing with just a mobile app for crypto.
Thanks to CheckPoint Research, a cybersecurity firm, an interesting “world-first” was discovered in relation to the scale and method used by scammers to scam unsuspecting victims. Here’s what happened, how it works, and what you can do to ensure that you don’t fall prey in the future.
Fake Wallet App Mimics Real Protocol, Lures in 10,000 Users
The Fake Wallet App, somehow working under the same name as a legitimate WalletConnect protocol, managed to scam thousands of users by posing as a solution to most of the common problems in the Web3 world. Scammers were always aware of compatibility issues between the different wallets and a lack of wide support for the real WalletConnect protocol across the platforms. They based their fake application on those pain points, turning the app into a high-security and user-friendly solution for any Web3 enthusiast.
For them to keep using it, the application had a glossy outlook, an official-sounding name, and even a line of good reviews. These reviews—most probably written by bots or paid reviewers—presented the application as authentic, convincing most users to trust the app.
How the Scam Worked: Draining Crypto Wallets?
After that, using the fake wallet app, users would be required to integrate their wallets with cryptocurrencies, stating that they required this so the access to Web3 applications would become smooth, something that is commonly required for genuine wallets and protocols.
In linking their wallets to their accounts, the unsuspecting users were redirected to a malicious website. That website scraped sensitive information about their wallets; it got wallet addresses, details from the blockchain network, and private keys. Using that data, hackers exploited smart contracts to initiate unauthorized transfers of crypto tokens from victims’ wallets.
Altogether, the scammers accessed approximately $70,000’s worth of cryptocurrency before the app was finally exposed and removed. While over 10,000 people installed the app, CPR’s investigation tied the scam to more than 150 crypto wallets, at minimum, meaning that many hundreds of people have had their funds siphoned off by the scam artists.
Fake Reviews Hide Reality
For all that evil the fake wallet app was doing, only 20 victims published negative reviews on Google Play. Such negative reviews were drowned quickly by fake positive reviews getting passed around. As a result, the app was kept undetected for five months. Meanwhile, an enormous amount of downloads took place as thousands of users unknowingly walked into a trap.
The investigation by CPR only unearthed the scandal and finally led to the complete removal of the app from Google Play in August. From then, most of the damage had been done, and users continued their devastated losses of their hard-earned crypto.
A Wake-Up Call for the Crypto Community
In the Fake Wallet App incident, one senses the sophistication in crypto scams is only going to keep increasing. As digital assets gain a foothold in mainstream culture, these malicious individuals and entities find newer ways to scam people still naive of the risks that come with cryptogold. According to CPR’s cybersecurity expert Alexander Chailytko, this is a “wake-up call” for both users and developers alike.
Chailytko also noted that basic security techniques, though useful, are not good enough to prevent these sophisticated types of scams. He emphasizes the necessity of novel security solutions and increasing awareness of the risks held within malicious applications.
Response from Google: Uninstallation of Fake Wallet Application
Within hours of the detection of the fake wallet app, Google took steps to remove all identified malicious versions of that app from the Play Store. And according to Google, its feature of Play Protect is constructed to automatically protect Android users from known threats—even if those threats come from beyond the Play Store.
In this particular case, however, the fake wallet app did its part by living for months inside the Google ecosystem without any tinge of suspicion against it, raising further questions about Google’s security protocols and whether they actually work in terms of controlling cryptocurrency scams.
This is not the first time malware came from Google Play. In a similar incident that occurred earlier this year, a cybersecurity firm known as Kaspersky discovered that apps infected with the Necro malware were downloaded by as many as 11 million Android users, resulting in unauthorized subscription charges.
Other Crypto Space Threats that are Still Ongoing
To date, one of the latest scams to come upon crypto users is the Fake Wallet App. However, the number of attacks is massive, and the most recent serious malware attack was one called “Cthulhu Stealer.” This malware appeared in August under the disguise of legitimate software targeting MacOS users. The malware is tailored for the purpose of sensitive information thievery or the stealing of MetaMask passwords, IP addresses, and private keys for cold wallets.
There have also been a higher number of email scams related to crypto. There have been instances where email scams utilize automated email responses for spreading silent crypto-mining malware that quietly drains your resources without knowing it.
Scams involving crypto are on the rise, making one even more cautious about dealing with digital currencies since apps that seem super reliable can be fake setup sites.
How to Defend Themselves from Other Fake Wallet Apps?
While the fake wallet app may be gone for good from Google Play, the reality of its existence means other scams will probably arise to take its place. To better keep one’s cryptocurrency safe and sound, here are a few things to watch out for:
Research Heavily Before Downloads: If you are downloading an application that has to do with cryptocurrency, research the application. Read reviews from different sites, check if the application is legitimate through searching for the developer, and even find news about the application.
Only official wallet apps: Use only wallet apps that are from authentic providers. If an application promises to solve problems that other wallets cannot do, then it is a red flag. Legitimate wallet providers will have an official website and will have verified apps on trusted platforms.
Enable 2FA: When your wallet allows you to enable 2FA, do so. This adds another layer of security, so even though the scammer has guessed the password, they won’t have access to the account.
Do Not Click on Suspicious Links: An application may ask you to click on a link or visit a site to complete some process. Most importantly, you should not click on the link. Instead, verify the URL of the website you are being asked to visit. Ensure it is a legitimate URL and you feel safe.
Monitoring Accounts: Monitor your crypto wallets and transaction histories. If you find anything fishy going on, take action immediately by disconnecting your wallet and contacting proper support channels.
Also, utilize a hardware wallet to store large funds. These will not be online, hence less likely to fall prey to online scams.
What’s Next for Crypto Security?
The more participants are in this cryptocurrency world, the more complex the security measures will be. So-called ‘geniuses’ in scamming are becoming brighter in coming up with ways to trick people; thus, out-of-the-box tools may need to be adopted to prevent a breach.
Experts such as those from CPR are pushing for new solutions, ones that go beyond the standard protections. These might be blockchain-based security measures: the flexibility and immutability of blockchain technology enable it to detect fraud in real time.
In the meantime, the best defense is education. With this, users can stay alert to the latest scams and know how to identify red flags that can circumvent them from these scams.
Conclusion
This recent case of the fake wallet app reminds us that in this fast-changing world of cryptocurrency, risks are not a myth. While promises made for decentralized finance and digital assets are highly exciting, they do open up new gates for scammers.
Be aware as a crypto user when you download apps or connect your wallet to third-party platforms. Being cautious and following best security practices will save you from becoming the next victim of scams, especially this fake wallet app. Caution; be informed; be safe.
Keep your eyes open and do your research. Stay safe.
