A malicious app impersonating the legitimate ‘WalletConnect’ project was available on Google Play for five months, amassing over 10,000 downloads. The fraudulent app, designed to drain cryptocurrency from unsuspecting web3 users, managed to steal approximately $70,000 from victims before being taken down.
The app posed as an official WalletConnect application, despite no such app existing on the Play Store. WalletConnect, a widely-used protocol that allows users to connect decentralized applications to their crypto wallets, does not offer a dedicated app.
George McGregor, VP, Approov Mobile Security had this to say:
“This is an example of a massive issue. Both iOS and Android are affected by fake apps. HarmonyOS and the Samsung Galaxy Store are not immune to the issue. The problem is significant enough that it impacts users of all major mobile operating systems. Despite security measures, and claims to the contrary, fake apps can slip through on all mobile platforms. Official app stores like Google Play and the Apple App Store are overwhelmed struggling to address this issue, despite having extensive app review processes in place.
“Some scammers have found ways to exploit the Apple App Store process by initially submitting apps in specific languages for certain countries, then gradually expanding to other markets.
As regulations like the EU’s DMA (Digital Markets Act), the UK’s DMCC (Digital Markets, Competition and Consumers Act 2024), and Japan’s SSCPA (Smartphone Act) kick in, more apps will be available outside of official app stores and security based on official app stores will become even more irrelevant than it already is.
“So, fake and unauthorized apps are a significant and growing problem. Common advice is that USERS should protect themselves: remain vigilant, carefully review app permissions, be wary of suspicious reviews or download numbers. But the reality is that all platforms face challenges with fake reviews and artificially inflated app rankings, which can make it difficult for users to identify legitimate apps. It is unrealistic to expect users to protect themselves from fake apps.
“In fact it is critical that app developers must put solid security in place – this means a zero trust runtime security solution that immediately identifies and blocks fake apps before they even try to access an API. “
This highlights the fact that users need to be vigilant about what they download. And that’s on top of app marketplaces needing to tighten up on their security to avoid this scenario from happening.
Related
This entry was posted on September 28, 2024 at 8:09 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Victims Lose $70k To A Single Crypto Wallet-Draining App On Google Play Store
A malicious app impersonating the legitimate ‘WalletConnect’ project was available on Google Play for five months, amassing over 10,000 downloads. The fraudulent app, designed to drain cryptocurrency from unsuspecting web3 users, managed to steal approximately $70,000 from victims before being taken down.
The app posed as an official WalletConnect application, despite no such app existing on the Play Store. WalletConnect, a widely-used protocol that allows users to connect decentralized applications to their crypto wallets, does not offer a dedicated app.
George McGregor, VP, Approov Mobile Security had this to say:
“This is an example of a massive issue. Both iOS and Android are affected by fake apps. HarmonyOS and the Samsung Galaxy Store are not immune to the issue. The problem is significant enough that it impacts users of all major mobile operating systems. Despite security measures, and claims to the contrary, fake apps can slip through on all mobile platforms. Official app stores like Google Play and the Apple App Store are overwhelmed struggling to address this issue, despite having extensive app review processes in place.
“Some scammers have found ways to exploit the Apple App Store process by initially submitting apps in specific languages for certain countries, then gradually expanding to other markets.
As regulations like the EU’s DMA (Digital Markets Act), the UK’s DMCC (Digital Markets, Competition and Consumers Act 2024), and Japan’s SSCPA (Smartphone Act) kick in, more apps will be available outside of official app stores and security based on official app stores will become even more irrelevant than it already is.
“So, fake and unauthorized apps are a significant and growing problem. Common advice is that USERS should protect themselves: remain vigilant, carefully review app permissions, be wary of suspicious reviews or download numbers. But the reality is that all platforms face challenges with fake reviews and artificially inflated app rankings, which can make it difficult for users to identify legitimate apps. It is unrealistic to expect users to protect themselves from fake apps.
“In fact it is critical that app developers must put solid security in place – this means a zero trust runtime security solution that immediately identifies and blocks fake apps before they even try to access an API. “
This highlights the fact that users need to be vigilant about what they download. And that’s on top of app marketplaces needing to tighten up on their security to avoid this scenario from happening.
Share this:
Like this:
Related
This entry was posted on September 28, 2024 at 8:09 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.