A new phishing scam has emerged in China that uses a fake Skype video app to target cryptocurrency users.
according to Chinese hackers behind phishing scams use China’s ban on international apps as the basis for their fraud, with many mainland users often searching for these banned apps through third-party platforms, according to a report by crypto security analytics firm SlowMist Technology program.
Social media apps such as Telegram, WhatsApp and Skype are among the most commonly searched for by mainland users, so scammers often exploit this vulnerability to send them fake cloned apps containing malware developed to attack crypto wallets.
In its analysis, the SlowMist team discovered that a recently created fake Skype application showed version 8.87.0.403, while the latest official version of Skype is 8.107.0.215. The team also discovered that the phishing backend domain “bn-download3.com” impersonated the Binance exchange on November 23, 2022, and was subsequently changed to imitate the Skype backend domain on May 23, 2023. The fake Skype app was first reported by a user who lost “a lot of money” to the same scam.
The fake app’s signature indicates that it has been tampered with to insert malware. After decompiling the app, the security team discovered a common Android web framework “okhttp3” that had been modified to target encrypted users. The default okhttp3 framework handles Android traffic requests, but the modified okhttp3 fetches images from various directories on the phone and monitors any new images in real time.
The malicious okhttp3 requests that the user grant access permissions to internal files and images, and most social media apps will ask for these permissions anyway, so they usually don’t suspect any wrongdoing. As a result, the fake Skype immediately began uploading images, device information, user IDs, phone numbers and other information to the backend.
Once the fake application gains access, it continues to look for images and messages with strings in address formats similar to Tron (TRX) and Ether (ETH). If such addresses are detected, they are automatically replaced with malicious addresses pre-programmed by the phishing group.
During the Slow Mist test, it was found that wallet address replacement has stopped, the phishing interface backend is closed, and malicious addresses are no longer returned.
related: 5 sneaky tricks crypto phishing scammers used last year
The team also found that as of November 8, the Tron chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) had received approximately 192,856 Tether (USDT), and the address had conducted a total of 110 transactions. Meanwhile, another ETH chain address (0xF90acFBe580F58f912F557B444bA1bf77053fc03) received approximately 7,800 USDT in 10 transactions.
The SlowMist team flagged and blacklisted all wallet addresses associated with the scam.
Magazine: Thailand’s $1 Billion Crypto Sacrifice, Mt. Gox Deadline, Tencent NFT App Canceled
Svlook
