Background
In the Web3 world, phishing incidents involving fake apps are quite frequent. The SlowMist Security Team has previously published articles analyzing such phishing cases. Due to the inaccessibility of Google Play in China, many users often resort to searching for and downloading apps directly from the internet. However, the types of fake apps available online are not limited to just wallets and exchanges. Social media applications like Telegram, WhatsApp, and Skype are also heavily targeted.
Recently, a victim contacted the SlowMist Security Team. According to his description, his funds were stolen after using a Skype App downloaded from the internet. Therefore, we began our analysis based on the fake Skype phishing sample provided by the victim.
Analysis of the Fake Skype App
Firstly, we analyzed the signature information of the fake Skype app. Generally, the signature information of a fake app contains anomalies and differs significantly from that of a genuine app.
We noticed that the signature information of this fake app is quite simple, almost empty, and both the owner and publisher are labeled as ‘CN’. Based on this information, we preliminarily deduced that the phishing production gang is likely Chinese. Also, from the certificate’s effective date of September 11, 2023, we inferred that this app was not created long ago. Further analysis revealed that the fake app uses version 8.87.0.403, while the latest version of Skype is 8.107.0.215.
Using Baidu search, we found multiple sources of the same fake Skype version, with signature information consistent with that provided by the victim.
Comparison with the Genuine Skype Version 8.87.403:
Since the APK’s certificate does not match, it indicates that this APK file has been tampered with and is likely injected with malicious code. Therefore, we began the process of decompiling and analyzing the APK.
‘SecShell’ is a characteristic feature resulting from using the Bangcle (梆梆) fortification to encapsulate the APK. This is a common defense tactic used by fake apps. Phishing gangs often encapsulate fake apps to prevent them from being analyzed.
After analyzing the unencapsulated version, the SlowMist Security Team discovered that the fake app mainly modified a commonly used Android network framework, okhttp3, to perform various malicious operations. Since okhttp3 is a framework for handling Android traffic requests, all traffic requests are processed through okhttp3.
The modified okhttp3 first obtains images from various directories on the Android phone and monitors in real-time for any new images.
The images obtained are eventually uploaded through the network to the phishing gang’s backend interface at: https://bn-download3.com/api/index/upload.
Using the asset mapping platform of Weibu, it was discovered that the phishing backend domain ‘bn-download3.com’ impersonated the Binance exchange on November 23, 2022. It wasn’t until May 23, 2023, that it began to impersonate a Skype backend domain:
Further analysis revealed that ‘bn-download[number]’ is a series of fake domains used by this phishing gang specifically for Binance phishing, indicating that this gang is a repeat offender targeting Web3 specifically.
By analyzing the network traffic packets, after running the fake Skype app, the modified okhttp3 starts to request permissions to access files, photo albums, etc. Since social apps need to transfer files and make calls, users generally do not suspect these activities. After obtaining user permissions, the fake Skype immediately begins uploading images, device information, user ID, phone number, and other information to the backend:
Through traffic layer analysis, it was observed that the test device had 3 images, hence there were 3 upload requests in the traffic.
At the beginning of its operation, the fake Skype also sends a request to the interface (https://bn-download3.com/api/index/get_usdt_list2?channel=605) for a USDT list. However, during the analysis, it was found that the server returned an empty list:
Further investigation into the code revealed that the fake Skype monitors for incoming and outgoing messages to see if they contain TRX and ETH type address format strings. If such addresses are detected, they are automatically replaced with malicious addresses pre-set by the phishing gang:
The related malicious addresses are as follows:
TRX:
TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB
TEGtKLavujdMrYxQWAsowXqxUHMdurUhRP
ETH:
0xF90acFBe580F58f912F557B444bA1bf77053fc03
0x03d65A25Db71C228c4BD202C4d6DbF06f772323A
Apart from the hardcoded addresses, the fake Skype also dynamically retrieves malicious addresses through the interface ‘https://bn-download8.com/api/index/reqaddV2'."
At present, when testing the fake Skype by sending addresses to another account, it was found that the address replacement no longer occurs, and the phishing interface’s backend has been shut down and no longer returns malicious addresses.
With this analysis, and by correlating the phishing domain, the backend interface path, and the date and time, we linked this case to the analysis of a fake Binance app published on November 8, 2022, titled ‘Li Kui or Li Gui? Fake Binance APP Phishing Analysis’. It was discovered that both incidents were orchestrated by the same phishing gang.
A reverse IP lookup of the domain revealed even more phishing domains.
Analysis of Malicious Addresses
After identifying the malicious addresses, the SlowMist Security Team immediately blacklisted them. As a result, the risk scores of the above addresses are now 100, indicating severe risk.
Using MistTrack for analysis, it was found that the TRON chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) had received approximately 192,856 USDT, with 110 deposit transactions. There is still a balance in this address, with the most recent transaction occurring on November 8.
Further tracking of the withdrawal records showed that most of the funds had been transferred out in batches.
Continuing with MistTrack analysis, the ETH chain address (0xF90acFBe580F58f912F557B444bA1bf77053fc03) had received approximately 7,800 USDT in 10 deposit transactions. All the funds have been transferred out, with the latest transaction occurring on July 11.
Further analysis revealed that most of the funds were transferred out through BitKeep’s Swap service, and the transaction fees were sourced from OKX.
Summary
This phishing method shared in this article was executed through a counterfeit social media app, a tactic the SlowMist Security Team has disclosed in multiple similar cases. Common behaviors of fake apps include uploading files and images from the phone, uploading data that may contain sensitive user information, and maliciously replacing network transmission content, like altering the destination address of wallet transfers, as seen in this case. Such tactics are not uncommon in fake Telegram and fake exchange apps.
Users need to be more cautious when downloading and using apps, sticking to official download channels to avoid downloading malicious apps and suffering financial losses. In the blockchain’s ‘dark forest’ world, users must continuously enhance their security awareness to avoid being deceived. For more security knowledge, it is recommended to read the Blockchain-dark-forest-selfguard-handbook published by our security team.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Their goal is to make the blockchain ecosystem as secure as possible for everyone. They are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.
