Background
On October 24, the twitter user below reached out to us asking for help when 5 ETHs they sent to their Binance address were transferred to an address owned by a scammer.
The current hacker’s address has been marked as a malicious phishing address by MistTrack.
Not long after, another Twitter user, “kongkong,” tweeted, “A friend of mine withdrew USDT from OK to Binance, while the first transaction was successful, the second wasn’t. They sent more than 5,000 USDT and waited over half an hour, but it never arrived. Ultimately, I contacted the Binance App’s customer service and stated that the address that received USDT was not a Binance user’s address.”
Fake Binance APK Analysis
First, we downloaded the Fake “Binance App” provided by the victim, and by comparing the APK file size with the real one. We discovered that the real Binance APK size was 247.1 MB, while the fake Binance APK size was only 191.3 MB, indicating that the fake Binance APK was compressed.
The packaging signature information also indicates that there was an issue with the victim’s APK.
The picture below is the signature information of the real Binance. As you can see, the signature date was 10/25/2017, and the signature also contains the word ‘Binance’.
The image below depicts the fake Binance App’s signature information. The signature date was on 10/06/2022, indicating this was recently packaged, signed and the signature contents were randomly generated.
2.48.4 is an older version of Binance’s Exchange App. Since the real APK of this version was not packed and reinforced, hackers can easily tamper with it and repackage it.
An examination of the fake Binance APK reveals, that the hacker used a free security software to prevent others from analyzing the APK.
We weren’t able to find the scammers address after decompiling the source code, which indicated that it was transmitted through the network for the purpose of solely modifying the deposit address.
Further investigation uncovered the domain address and the management backend domain address where the deposit addresses were generated. Mainly the two domains listed below.
13haojk.com
13haoht.com
The web interface address was encrypted using AES where the interface path was “/api/index/get usdt list.”
When the interface stopped running services, we performed a network interface analysis, but according to the interface characteristics obtained from the network search engine, we discovered that the hacker’s other interface domains were still active, as shown below.
14hjiekou.xyz
10haohout.com
Analysis of fake Binance App from other channels
According to the victim, the fake Binance App was downloaded via a Baidu search. We were able to discover and download several so-called “official Apps” after a quick search.
After installing a fake Binance app, we discovered that it began to request a large number of phishing deposit addresses.
The actual deposit address from the official Binance App was 0xc75edf**********2825e6, however when we logged into the fake Binance app, we can see that it’s now showing a different address: 0xCBea4B6d006C7eb5b0B8EeAfC0BE839Ba33ECa82.
Since this address was not in our MistTrack’s malicious address database, we immediately uploaded it using the ‘report’ function.
Summary
After investigating numerous phishing events, we determined that most phishing techniques in Web3 can be divided into three following categories: modification of addresses, theft of private keys, and signature spoofing.
While this incident deals with a fake exchange app, we’ve also shared a phishing case that was carried out using a fake Telegram app. We strongly advise users to only visit official sources and always verify before downloading anything to avoid incidents like this.
For additional information on how to safely navigate the Web3 space, we recommend reading the “Blockchain dark forest selfguard handbook” from the SlowMist Security Team.
