New Phishing Scam Targets Crypto Users in China Using Fake Skype Video App

Chinese Hackers Exploit Ban on International Apps to Steal Hundreds of Thousands of Dollars

A new phishing scam has emerged in China that specifically targets cryptocurrency users. According to a report by crypto security analytics firm SlowMist, the scammers behind the phishing scam took advantage of China's ban on international applications to trick users into downloading a fake Skype video app. Many mainland users often search for banned applications like Telegram, WhatsApp, and Skype on third-party platforms. The scammers exploit this vulnerability by creating fake, cloned applications that contain malware designed to attack crypto wallets.

Fake Skype App and Impersonation of Binance Exchange

In their analysis, the SlowMist team discovered that the fake Skype application had a version number of 8.87.0.403, while the latest version of Skype is actually 8.107.0.215. They also found that the phishing back-end domain, 'bn-download3.com', initially impersonated the Binance exchange on November 23, 2022, and later changed to mimic a Skype backend domain on May 23, 2023. The team was alerted to the fake Skype app by a user who had lost a significant amount of money to the scam.

Malware Inserted Through Tampered App Signature

Upon inspecting the fake app's signature, the security team discovered that it had been tampered with to insert malware. After decompiling the app, they found that the malicious code targeted crypto users by modifying the commonly used Android network framework called okhttp3. This modified okhttp3 framework accessed images from various directories on the phone and monitored for any new images in real-time.

Phishing Scam's Modus Operandi

The fake Skype app requests users to grant access to internal files and images, which is typically a common permission asked by most social media applications. Users often do not suspect any wrongdoing and grant the permissions. Once granted access, the fake app begins uploading images, device information, user ID, phone number, and other data to the phishing gang's back end. The app also scans for images and messages that contain TRX and ETH-like address format strings. If it detects such addresses, it automatically replaces them with malicious addresses set by the scammers.

Scammers Uncovered and Blacklisted

The SlowMist team discovered more than 100 malicious addresses that were linked to the phishing scam and promptly blacklisted them. During their testing, they found that the wallet address replacement had stopped, and the phishing interface's back end was shut down, no longer returning malicious addresses. However, they also found that a TRON chain address received approximately 192,856 USDT until November 8, with a total of 110 transactions made to the address. Additionally, an ETH chain address received around 7,800 USDT in 10 deposit transactions.

This latest phishing scam targeting crypto users in China serves as a reminder to exercise caution when downloading applications from third-party platforms. Users should always verify the authenticity of the app and be wary of granting unnecessary permissions. It is crucial to stay vigilant and protect personal information and digital assets in today's ever-evolving and competitive digital world.