Chinese Hackers Use Fake Skype App to Target Crypto Users in New Phishing Scam
A new phishing scam has surfaced in China that uses a fake Skype video app to target crypto users.
According to a report by crypto security analytics firm SlowMist, the Chinese hackers behind the phishing scam used China's global ban on apps as a trick, with many mainland users looking for these banned apps on third-party platforms.
Social media applications such as Telegram, WhatsApp, and Skype are some of the most sought after by mainland users, so fraudsters often use this vulnerability to target crypto wallets with cloned applications that contain malware designed to attack crypto wallets.
According to an analysis by the SlowMist team, the recently created version of the fake Skype app is 8.87.0.403, while the latest version of Skype is 8.107.0.215. The group also changed the phishing back-end domain “bn-download3.com” impersonating the Binance exchange on November 23, 2022 to impersonating the Skype back-end domain on May 23, 2023. It was a fake Skype app that was first reported by a user who lost “a large amount of money” to the same scam.
The fake app's signature revealed that it had been tampered with to inject malware. After cracking the app, the security team discovered a modified version of the commonly used Android networking framework “okhttp3” targeting crypto users. The default okhttp3 framework handles Android traffic requests, but the improved okhttp3 finds images on the phone from various directories and handles any new images in real time.
Malicious okhttp3 asks users to provide internal files and images, and while most social media apps ask for these permissions anyway, they often don't suspect anything wrong. Therefore, the fake Skype will immediately start uploading images, device information, user ID, phone number and other information to the backend.
Once received, the fake app continuously searches for images and messages in Tron (TRX) and Ether (ETH) address formats. If such addresses are found, they will be automatically replaced with malicious addresses pre-arranged by the phishing team.
During SlowMist testing, it was found that wallet address replacement was stopped, the backend of the phishing interface was blocked, and malicious addresses were not returned.
Related: 5 Fraudulent Techniques Crypto Phishing Scammers Used Last Year
The team also confirmed that the Tron chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) had received 192,856 Tether (USDT) in a total of 110 transactions as of November 8. At the same time, another ETH chain address (0xF90acFBe580F58f912F557B444bA1bf77053fc03) received approximately 7,800 USDT in 10 transactions.
The SlowMist team has identified and blacklisted all wallet addresses associated with the scam.
Magazine: Thailand's $1B Crypto Offering, MT Gox Final Deadline, Tencent NFT App Added
