A new phishing scam targeting cryptocurrency users in China has surfaced, utilizing a counterfeit Skype video app as its tactic. SlowMist Technology, a crypto security analysis firm, reported that Chinese hackers orchestrated this phishing scam based on China's restrictions on international apps. Given that many mainland users seek banned apps through third-party platforms, scammers exploit this vulnerability, often tricking users with cloned apps housing malware specifically designed to attack crypto wallets.
Social media applications such as Telegram, WhatsApp, and Skype are frequently sought after by mainland users, making them prime targets for scammers. SlowMist's analysis unveiled a counterfeit Skype application, showing version 8.87.0.403, while the legitimate Skype version stands at 8.107.0.215. The scam initially impersonated Binance on November 23, 2022, with the phishing backend domain "bn-download3.com." Later, on May 23, 2023, it transformed to mimic Skype's backend domain. The scam was first flagged by a user who suffered substantial losses due to the same ploy.
The forged app's signature confirms tampering, indicating the insertion of malware. After dissecting the app, SlowMist's security team identified a modified Android web framework called "okhttp3" that targets encrypted users. The altered okhttp3 framework deviates from its default function of handling Android traffic requests by fetching images from various directories on the phone and monitoring newly added images in real-time.
This modified okhttp3 requests access to internal files and images from the user. As most social media apps routinely seek these permissions, users often overlook any potential threats. Once granted access, the fake Skype app begins uploading sensitive data, including device information, user IDs, phone numbers, and images, to the scam's backend.
The counterfeit app goes a step further by scanning for Tron-related images and Ethereum-formatted address strings. If detected, these addresses are replaced with malicious addresses previously set by the phishing group. During SlowMist's examination, the wallet address substitution ceased, the phishing backend interface closed, and no further return of malicious addresses occurred. The team noted approximately 192,856 Tether received in 110 transactions to a Tron chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) and roughly 7,800 USDT in 10 transactions to an ETH chain address (0xF90acFBe580F58f912F557B444bA1bf77053fc03). SlowMist has identified and blacklisted all wallet addresses associated with the scam.
