In a recent cybercrime revelation, crypto security firm SlowMist has uncovered a sophisticated phishing scam originating in China, designed to pilfer funds from unwitting cryptocurrency users. The scam revolves around a devious manipulation of a fake Skype video application, taking advantage of China’s stringent ban on international apps. With social media giants like Telegram, WhatsApp, and Skype being the go-to for many Chinese users seeking banned applications, scammers have found a fertile ground to deploy cloned apps infused with malware tailored to infiltrate crypto wallets.
SlowMist’s meticulous analysis of the fraudulent Skype application, sporting the version number 8.87.0.403, revealed a stark contrast to the legitimate Skype version, which stands at 8.107.0.215. The phishing scam’s backend domain, initially masquerading as the Binance exchange on November 23, 2022, slyly transitioned to mimic a Skype backend domain on May 23, 2023. The first report of this nefarious app came from a user who suffered a significant financial loss due to the scam.
Delving into the technical aspects, the security experts at SlowMist uncovered that the fake Skype app’s signature had been tampered with to insert malicious software. Upon decompiling the application, they identified a modification of the widely used Android network framework, okhttp3, tailored specifically to target crypto users. While the default okhttp3 framework handles routine Android traffic requests, the manipulated version combs through various directories on the user’s phone, monitoring for new images in real-time.
The insidious okhttp3 requests users to grant access to internal files and images, a request often overlooked as it mimics the permissions sought by legitimate social media applications. Once granted, the fake Skype app springs into action, uploading images, device information, user ID, phone number, and other critical data to its malicious backend.
Upon gaining access, the rogue application perpetually scans for images and messages containing cryptocurrency wallet addresses, specifically those resembling TRX and ETH formats. In a sinister twist, if such addresses are detected, they are instantly swapped with pre-set malicious addresses by the phishing gang, leaving victims none the wiser.
During testing by SlowMist, it was observed that the wallet address substitution abruptly ceased, signaling the shutdown of the phishing interface’s backend. This brought an end to the automatic replacement of addresses with malicious ones, providing a brief respite to potential victims.
In light of this alarming discovery, it is imperative for crypto users, especially those in China, to exercise caution when downloading applications from third-party platforms. As hackers become increasingly sophisticated in exploiting regional restrictions and user habits, staying vigilant is paramount to safeguarding one’s digital assets.
Key Takeaways for Crypto Users:
This latest phishing scam underscores the need for continuous vigilance in the ever-evolving landscape of cybersecurity. As the digital realm becomes more intertwined with our daily lives, staying informed and adopting proactive security measures is non-negotiable. Let this serve as a stark reminder that, in the world of cryptocurrencies, safeguarding against potential threats is as crucial as making strategic investment decisions.
Get the latest Crypto & Blockchain News in your inbox.