Google approves CryptoCurrency Scam App on the Google Play Store which steals over $100,000 from users, and hides evidence
Last week, my buddy told me that he was hacked, and lost over $3500 from his AVAX wallet. The total value of loss for other users was well over $100,000. AVAX is a new Cryptocurrency similar to MAKR, COMP, and AAVE. “Yeah these things happen,” I told him. We scanned all his devices for malware, viruses, trojans, worms, root kits, photos of cats, etc. His devices came up clean. So what actually happened?
Later that day, my buddy was scrambling to understand what happened and talked with the actual Avalanche team, who make the AVAX coin. He told them he downloaded the app from the Google Play Store, and to his utter dismay, one of the moderators replied with “We don’t have an app.” Bam! So we found out where to start.
So he had downloaded an app from the Google Play Store, which was posing as a legitimate AVAX wallet. Okay let’s take a moment here real quick. I am a developer who has made apps for the Apple AppStore and Google Play Store. You have to fill out paperwork, and pay developer fees with a valid credit card, not a Visa prepay. Yes there are ways around this. Get a fake ID, and get a fake bank account using someone’s social. But I honestly believe this attacker was not privy to real hardcore criminal activities. More or less your average script kiddie. Anyways, Apple is much more vetting in their process compared to Google, but the fact of the matter still stands: Google has a platform that they are approving apps on so you and I can download them and feel protected knowing that they had to be approved by some huge tech company like Apple or Google.
And now to the disconnect…
I immediately reached out to Google. At this point, the app had been removed from the Google Play Store. Upon my first contact and interaction with Google, I got your average chat bot help: nothing. They said that the app was never downloaded on the account we provided, which was a lie. We were able to do a backup and show the app on his device. Screenshot below. Look for AVAX Wallet on the left.
I sent them this screenshot showing that after doing a successful backup, the app was in fact on the phone. They still denied him downloading it. Yeah makes sense Google. So we can say the first chat experience was a waste of an hour and a half. The second chat was worse, she end up exiting the chat before I could even provide my case. She told me due to covid, they cannot allow their operators to talk on the phone. I told her that you cannot get covid from talking on the phone with someone 100 miles away. It became quite humorous at this point.
No way to contact
So I was searching everywhere for a phone number or something, and pages returned 404 or the number was disconnected. Yeah, Google, the company that made 182.5 billion dollars in 2020 during the pandemic with obviously no phone operators, cannot hire a few people to answer phone calls or assist loyal customers like me and you. Let’s do some math here. In 2020 when Google made 182.5 billion dollars, they were estimated to have 135,301 employees. California is expensive. But Google has moved to Texas, and i’ve lived in both states. Trust me, Texas is much cheaper, but we will average the two together to make the numbers more accurate. According to Payscale and Glassdoor, the average Senior Software Developer is $154,884 which would most likely be one of the highest paying positions, whereas a Support Technician can make as little as $37,000. Okay so let’s calculate:
182,500,000,000 / 135,301 = 1348844.42835
So if everyone was equal, which they obviously are not at Google, and definitely don’t treat others like equals, hence the entire purpose of this article and investigation, the average person would make $1,348,844. Obviously this doesn’t take in how much higher level executives make, etc. The point is, they have enough money to hire a few people at the call center at the lowest of $37,000/year. So red flag into how this corporate giant does not handle their finances properly or is busy evading whatever else they are hiding. That’s a whole different story.
Back to the case…
No way to contact Google. This is how they force you to give up and let them each keep their $1,348,844 salary. But like I had mentioned earlier, I have submitted apps to the Google Play Store. I had a thread of a Google developer who I had chatted with in regards to issues with my APK signature. At this point, and nothing else to go on, I hit him up. It took about a day, but someone named Ann responded! A person who works in the Google Play Store department. Surely they would be able to help!
Rolling with the big guns
At this point I decided to just draft up a lengthy email with all the evidence I had so that we could skip all the hellos and other electronic greetings. During the time of trying to find someone, my buddy was able to extract the APK off his phone when he did the backup. He sent me the APK, and I used apktool to decompile it down to the source. I loaded it up in Android Studio, and just like I had imagined, it was evident that it was obfuscated like malware. Here is a screenshot of the variables all chopped up using memory addresses to hide plain text.
Here are more files with the actual Avalanche and AVAX name in plaintext.
The AVAX wallet bundle identifier.
Now I sent all of this to Google, and they tried to say they couldn’t do anything and referred me to a Google Wallet Buyer Support link, which upon clicking, took me here.
So it was fairly obvious they didn’t care. They couldn’t even pay a call center employee the lowest salary at the company of $37,000. They made it seem like the app did not come from the Google Play Store. But luckily my friend was able to capture screenshots before it was removed.
So what now?
It is clear Google does not care. It is also clear that Google accepted a scam app that cost my friend and others well over $100,000 based off the transactions on AVAX Explorer (their Blockchain Explorer). $3500 is a lot of money. That is 2 rent payments in NYC or LA. I remember when I sold my car for $1200. This is a lot of money, and combined this had to result in over $100,000. I was not done. I went back to the source files and went through every single one of them. I found a link to the attacker’s api endpoints, along with their key. I told you, script kiddies.
A whois lookup of course didn’t provide much information. But the domain is still up. And we have already started the process of getting a subpoena to find the identity of the attacker from this domain.
Where do we go from here?
We keep fighting for justice. Share this everywhere. And if you can help in our investigation or were one of the people who fell victim to an app that the Google Play Store approved, which stole large amounts of money from you, reach out. This investigation is nowhere near done. It won’t be done until the attacker is sitting in a 6×8 in Cell Block C. And let’s not forget about Google. These guys are always getting sued and going to court for numerous things because they don’t care. It is fairly obvious at this point.
We have contacted the FBI and are actively working on a subpoena. Stay tuned for the capture of this attacker, and a subsequent lawsuit for Google.