A new phishing scam has emerged in China that uses a fake Skype video app to target crypto users.
According to a report by crypto security analytics firm SlowMist, the Chinese hackers behind the phishing scam used China’s ban on international applications as the basis of their fraud, with many mainland users often searching for these banned applications via third-party platforms.
Social media applications such as Telegram, WhatsApp and Skype are some of the most common applications searched for by mainland users, so scammers often use this vulnerability to target them with fake, cloned applications containing malware developed to attack crypto wallets.
In its analysis, the SlowMist team found that the recently created fake Skype application displayed version 22.214.171.1243, while the latest official version of Skype is 126.96.36.199. The team also discovered that the phishing back-end domain “bn-download3.com” impersonated the Binance exchange on Nov. 23, 2022, later changing to mimic a Skype back-end domain on May 23, 2023. The fake Skype app was first reported by a user who lost “a significant amount of money” to the same scam.
The fake app’s signature revealed that it had been tampered with to insert malware, and after decompiling the app the security team discovered that it modified a commonly used Android network framework called okhttp3 to target crypto users. The default okhttp3 framework handles Android traffic requests, but the modified okhttp3 obtains images from various directories on the phone and monitors for any new images in real-time.
The malicious okhttp3 requests users to give access to internal files and images, and as most social media applications ask for these permissions anyway they often don’t suspect any wrongdoing. Thus, the fake Skype immediately begins uploading images, device information, user ID, phone number, and other information to the back end.
Once the fake app has access, it continuously looks for images and messages with TRX and ETH-like address format strings. If such addresses are detected, they are automatically replaced with malicious addresses pre-set by the phishing gang.
During SlowMist testing, it was found that the wallet address replacement had stopped, and the phishing interface’s back end was shut down and no longer returned malicious addresses.
Related: 5 sneaky tricks crypto phishing scammers used last year
The team also discovered that a TRON chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) received approximately 192,856 USDT until Nov. 8 with a total of 110 transactions made to the address. At the same time, another ETH chain address (0xF90acFBe580F58f912F557B444bA1bf77053fc03) received approximately 7,800 USDT in 10 deposit transactions.
The SlowMist team flagged and blacklisted all wallet addresses linked to the scam.
Magazine: Thailand’s $1B crypto sacrifice, Mt. Gox final deadline, Tencent NFT app nixed