Chinese hackers use fake Skype app to target crypto users in new phishing scam
A new phishing scam has emerged in China that uses a fake Skype video app to target crypto users
As per a report by crypto security analytic firm SlowMist, the Chinese hackers behind the phishing scam used China’s ban on international applications as the basis of their scam, as several mainland users often search for these banned applications via third-party platforms, to obtain hundreds of thousands of dollars.
Social media applications such as Telegram, WhatsApp, and Skype are some of the most common applications searched for by mainland users, so scammers often use this vulnerability to target them with fake, cloned applications containing malware developed to attack crypto wallets.
In its analysis, the SlowMist team found that the recently created fake Skype application bore version number 22.214.171.1243, while the latest version of Skype is actually 126.96.36.199. The team also discovered that the phishing back-end domain ‘bn-download3.com’ impersonated the Binance exchange on Nov. 23, 2022, and later changed it to mimic a Skype backend domain on May 23, 2023. The fake Skype app was first reported by a user who lost 'a significant amount of money' to the same scam.
The fake app's signature revealed that it had been tampered with to insert malware, and after decompiling the app the security team discovered that it modified a commonly used Android network framework called okhttp3 to target crypto users. The default okhttp3 framework handles Android traffic requests, but the modified okhttp3 obtains images from various directories on the phone and monitors for any new images in real-time.
The malicious okhttp3 requests users to give access to internal files and images, and as most social media applications ask for these permissions anyway they often don’t suspect any wrongdoing. Thus, the fake Skype immediately begins uploading images, device information, user ID, phone number, and other information to the back end.
Once the fake app has access, it continuously looks for images and messages with TRX and ETH-like address format strings. If such addresses are detected, they are automatically replaced with malicious addresses pre-set by the phishing gang.
During SlowMist testing, it was found that the wallet address replacement had stopped, and the phishing interface’s back end was shut down and no longer returned malicious addresses.
Related: 5 sneaky tricks crypto phishing scammers used last year
The team also discovered that a TRON chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) received approximately 192,856 USDT until Nov. 8 with a total of 110 transactions made to the address. At the same time, another ETH chain address (0xF90acFBe580F58f912F557B444bA1bf77053fc03) received approximately 7,800 USDT in 10 deposit transactions.
In all, more than 100 malicious addresses linked to the scam were uncovered and blacklisted.
Magazine: Thailand’s $1B crypto sacrifice, Mt. Gox final deadline, Tencent NFT app nixed