Cybersecurity firm SlowMist reported on a new vector targeting crypto and Web3 users. This scam, which led to the theft of funds from an unsuspecting victim who downloaded the app from the internet, highlights the growing sophistication of cybercriminals targeting not just wallets and exchanges but also widely used social media apps.
SlowMist Uncovers Sophisticated Phishing Operation Using Fake Skype App
According to the report, the attack was launched mostly against users in China. In the region, restrictions against conventional App stores forced users to download unofficial software versions, creating bigger vulnerabilities.
Skype, WhatsApp, Telegram, and other significant applications are often the subject of these attacks. On this occasion, the security firm examined an attack using a fake version of Skype, which affected an individual who lost $200,000.
Upon examination, the fake Skype app’s signature information raised immediate red flags, being overly “simplistic” and labeled merely as “CN,” as seen in the image below.
This, coupled with the certificate’s recent effective date of September 11, 2023, suggested a recent creation, likely by a Chinese phishing group. Using an outdated Skype version, the app was found across multiple internet sources, aligning with the victim’s account.
A Deeper Look Into The Phishing App Attack
The SlowMist team’s analysis went deeper, uncovering that the app had been fortified using Bangcle, a tactic common in fake apps to hinder analysis. Decompiling the APK revealed alterations to the okhttp3 network framework, enabling the app to hijack various data from the user’s device.
This modified okhttp3 was designed to upload images and monitor for new ones in real time, sending them to a phishing backend.
The phishing backend ‘bn-download3.com’ had previously impersonated the Binance exchange before mimicking a Skype backend. This domain was part of a series used by the phishing gang, indicating their repeated offenses in the Web3 world.
The app also sought user permissions under the guise of social media functionality and then began uploading personal data, including images, device information, and phone numbers. In a more sinister turn, the app monitored for and replaced cryptocurrency addresses in messages with malicious ones controlled by the attackers.
The SlowMist team successfully blacklisted the malicious addresses and, through their MistTrack analysis, discovered significant amounts of USDT transactions linked to these addresses, with funds being transferred out through various services.
The stolen funds were sent to the following addresses on the TRON and Ethereum blockchain: TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB and TEGtKLavujdMrYxQWAsowXqxUHMdurUhRP (TRON). On the second blockchain: 0xF90acFBe580F58f912F557B444bA1bf77053fc03, 0x03d65A25Db71C228c4BD202C4d6DbF06f772323A.
This case mirrors a previous fake Binance app scam, reported in late 2022, revealing a pattern of sophisticated phishing operations. Users are urged to download apps only from official channels and stay vigilant against such deceptions.
The SlowMist Security Team emphasizes the importance of enhanced security awareness in the blockchain space. As of this writing, Ethereum (ETH) trades at $2,060.
Cover image from Unsplash, chart from Tradingview