In a recent revelation, SlowMist, a leading crypto security analytics company, has exposed a sophisticated phishing scam organised by Chinese hackers. The scammers ingeniously employed a cloned version of the Skype video app, taking advantage of China’s restrictions on international applications. This deceptive move targeted crypto users actively seeking banned apps like Telegram, WhatsApp, and Skype on third-party platforms.
The Elaborate Scheme
SlowMist’s analytical team meticulously examined the counterfeit video app, identifying a version discrepancy (8.87.0403) compared to the official version (8.107.02.215). Further investigation unveiled an altered signature, indicative of malware insertion, and a modified version of the Android network framework, “okhttp3.” This modified framework posed a significant threat to cryptocurrency users as it accessed images from diverse directories on the device.
The attackers deployed a well-established phishing strategy, embedding the fake video app with malware to compromise crypto wallets and steal funds. Once installed, the deceptive app requested access to internal files and images. Unsuspecting users, perceiving it as a routine permission request from a social application, inadvertently granted all requests.
Upon gaining permission, the malicious video app surreptitiously uploaded sensitive data, including images, user device details, identity documents (driver’s licence, passport, and national ID), and phone numbers, to the hackers’ backend. The app actively collected images and messages, scanning for keywords like Tron (TRX) and Ether (ETH) to detect crypto wallet transfers. Upon detection, the destination address would be automatically replaced with a predetermined malicious one.
SlowMist highlighted the similarity of this phishing scam to a previous fake Binance (BNB) hack case in November 2022. The team uncovered specific cryptocurrency addresses associated with the scam, including Tron and ETH addresses.
Counteraction and Prevention
In response to the threat, SlowMist’s analytics team took proactive measures. Testing for ongoing activity on the fake Skype app, they discovered that the address replacement was no longer effective, indicating the shutdown of the phishing interface backend. The platform promptly sourced and blacklisted all cryptocurrency addresses linked to the scam.
While SlowMist’s swift actions contribute to the ongoing battle against fraudulent operations, such as phishing scams, all crypto users are advised to exercise caution. This latest incident serves as a reminder of the evolving tactics employed by cybercriminals in targeting crypto users. It underscores the importance of remaining vigilant in the ever-changing landscape of digital security.