OKX & SlowMist Joint Report: Bom Malware Hits Tens of Thousands of Users, Stealing Over $1.82 Million

On February 14, 2025, multiple users reported unauthorized access to their wallet assets. On-chain data analysis indicated that the incidents exhibited characteristics of mnemonic phrase/private key leakage. Further follow-ups with affected users revealed that most of them had previously installed and used an application called BOM.

A deeper investigation uncovered that BOM was actually a carefully disguised scam application. Malicious actors exploited this app to deceive users into granting permissions, ultimately gaining access to their mnemonic phrases and private keys. This allowed them to systematically transfer and conceal stolen assets.

In response, the SlowMist AML team and the OKX Web3 Security team conducted an in-depth investigation into the tactics used by this malware, along with on-chain tracking and analysis, aiming to provide security warnings and recommendations to help more users stay protected.

Malware Analysis

With user consent, the OKX Web3 Security team collected APK files of the BOM application from affected users’ devices for analysis. The key findings are as follows:

Conclusion

1. Upon accessing the contract page, the malicious app deceives users into granting local file and album permissions under the pretense of necessary app functionality.
2. Once granted access, the app scans and collects media files from the device’s album in the background, then packages and uploads them to a remote server. If a user’s files or album contain mnemonic phrases or private key information, attackers may exploit the collected data to steal wallet assets.

Analysis Process

1. Preliminary Sample Analysis

1) Application Signature Analysis

The signature subject is irregular, resolving to “adminwkhvjv,” which consists of meaningless random characters. In contrast, legitimate applications typically use a meaningful combination of letters.

2) Malicious Permission Analysis

The application’s AndroidManifest file reveals that it registers a large number of permissions, including several sensitive ones, such as reading and writing local files, accessing media files, and reading the photo gallery.

2. Dynamic Analysis

Since the app’s backend services were already offline at the time of analysis, the app could not function properly, making dynamic analysis unavailable.

3. Decompilation Analysis

Decompilation revealed that the number of classes in the app’s DEX files was very limited. A static code analysis was conducted on these classes.

Its main logic involves decrypting certain files and loading the application.

In the assets directory, we found UniApp build files, indicating that the app was developed using the cross-platform UniApp framework.

In applications developed using the UniApp framework, the main logic resides in the build file app-service.js, with some critical code encrypted in app-confusion.js. We began our analysis with app-service.js.

1) Trigger Entry Point
At the registration of various page entry points, we identified an entry point named contract.

The corresponding function index is 6596.

2) Device Information Initialization & Reporting
After the contract page loads, the callback onLoad() will invoke doContract().

In doContract(), the function initUploadData() is called.

In initUploadData(), the network status is first checked, along with whether the image and video lists are empty. Finally, the callback e() is invoked.

The callback e() is actually getAllAndIOS().

3) Checking and Requesting Permissions
On iOS, the app first requests permissions, deceiving users with a message claiming the access is necessary for normal operation. This behavior is highly suspicious — as a blockchain-related application, it has no legitimate reason to require access to the photo gallery. This request clearly exceeds the normal operational needs of the app.

On Android, the app similarly checks and requests photo gallery permissions first.

4) Collecting and Reading Album Files
Then, androidDoingUp reads images and videos and packages them.

5) Uploading Album Files
Finally, the upload is carried out in uploadBinFa(), uploadZipBinFa(), and uploadDigui(). The upload interface path appears to be a random string.

The iOS process is similar. After obtaining permissions, data collection and uploading begin through getScreeshotAndShouchang().

6) Upload Interface
The reporting URL’s commonUrl domain is obtained from the response of the /api/bf9023/c99so endpoint.

The domain for this interface is retrieved from UniApp’s local cache.

The code for writing to the cache was not found, as it may be obfuscated and stored in app-confusion.js. However, the domain was observed in the application cache during a previous run.

On-Chain Fund Analysis (SlowMist)

According to MistTrack, SlowMist AML’s on-chain tracking and anti-money laundering tool, the primary theft address (0x49aDd3E8329f2A2f507238b0A684d03EAE205aab) has stolen funds from at least 13,000 users, with illicit gains exceeding $1.82 million.

https://dune.com/queries/4721460

The first transaction of the address 0x49aDd3E8329f2A2f507238b0A684d03EAE205aab occurred on February 12, 2025, receiving an initial fund of 0.001 BNB from the address 0x9AEf1CA082c17f9D52Aa98ca861b50c776dECC35.

Analyzing the address 0x9AEf1CA082c17f9D52Aa98ca861b50c776dECC35, its first transaction also occurred on February 12, 2025. Its initial funds originated from the address 0x71552085c854EeF431EE55Da5B024F9d845EC976, which has been labeled as “Theft — Private Key Compromise” by MistTrack.

Continuing the analysis of the initial hacker address 0x49aDd3E8329f2A2f507238b0A684d03EAE205aab’s fund movements:

BSC: Profited approximately $37,000, including assets such as USDC, USDT, and WBTC. Frequently used PancakeSwap to swap some tokens for BNB.

Currently, the address holds a balance of 611 BNB and approximately $120,000 worth of tokens, including USDT, DOGE, and FIL.

Ethereum: The hacker has gained approximately $280,000, mostly from cross-chain transfers of ETH from other networks. They then transferred 100 ETH to 0x7438666a4f60c4eedc471fa679a43d8660b856e0, which also received 160 ETH from the previously mentioned address 0x71552085c854EeF431EE55Da5B024F9d845EC976. In total, 260 ETH has not been further transferred.

Polygon: The hacker has gained approximately $65,000, including tokens such as WBTC, SAND, and STG. Most of these tokens have been swapped via OKX-DEX for 66,986 POL. The current balance of the hacker’s address is as follows:

Arbitrum: The hacker has gained approximately $37,000, including tokens such as USDC, USDT, and WBTC. These tokens were swapped for ETH, and a total of 14 ETH was bridged to Ethereum via OKX-DEX.

Base: The hacker has gained approximately $12,000, including tokens such as FLOCK, USDT, and MOLLY. These tokens were swapped for ETH, and a total of 4.5 ETH was bridged to Ethereum via OKX-DEX.

Other chains will not be elaborated further. Additionally, we conducted a brief analysis of another hacker address provided by a victim.

The hacker address 0xcb6573E878d1510212e84a85D4f93Fd5494f6EA0 recorded its first transaction on February 13, 2025, with total illicit gains of approximately $650,000 across multiple chains. The related USDT was bridged to the TRON address TFW52pZ3GPPUNW847rdefZjqtTRxTCsdDx.

The TRON address TFW52pZ3GPPUNW847rdefZjqtTRxTCsdDx received a total of 703,119.2422 USDT, with a current balance of 288,169.2422 USDT.

• 83,000 USDT was transferred to TZJiMbiqBBxDXhZXbrtyTYZjVDA2jd4eus, which remains unspent.
• The remaining 331,950 USDT was sent to THKqT6PybrzcxkpFBGSPyE11kemRNRmDDz, an address that has previously interacted with Huionepay.

We will continue to monitor the relevant balance addresses.

Security Recommendations

To help users enhance their security awareness, the SlowMist AML team, in collaboration with the OKX Web3 security team, has compiled the following security recommendations:

1. Avoid downloading software from unknown sources — This includes so-called “airdrop tools” and any software from unidentified issuers.
2. Do not trust software download links recommended by friends or community members — Always verify and download from official sources.
3. Download apps only from official and reputable platforms — Such as Google Play, the App Store, and other recognized app stores.
4. Safeguard your mnemonic phrase properly — Avoid storing it using screenshots, photos, notepads, cloud storage, or similar methods. The OKX Wallet mobile app has already disabled screenshots for private key and mnemonic phrase pages.
5. Use physical storage methods for mnemonic phrases — Such as writing them down on paper, storing them in a hardware wallet, or using segmented storage (splitting the mnemonic phrase/private key and storing the parts separately).

6. Regularly change your wallet — If conditions allow, periodically switching wallets can help eliminate potential security risks.

7. Utilize professional on-chain tracking tools — Platforms like MistTrack enable monitoring and analyzing funds, reducing the risk of scams and phishing attacks while enhancing asset security.

8. Read the Blockchain Dark Forest Selfguard Handbook — Written by SlowMist founder Cos, this guide provides essential knowledge for protecting yourself in the blockchain space.

Disclaimer

This content is for informational purposes only and should not be considered as (i) investment advice or recommendations, (ii) an offer or solicitation to buy, sell, or hold digital assets, or (iii) financial, accounting, legal, or tax advice. We do not guarantee the accuracy, completeness, or usefulness of this information.

Digital assets (including stablecoins and NFTs) are subject to market fluctuations, involve high risks, and may depreciate in value or become worthless. You should carefully assess whether trading or holding digital assets is suitable for you based on your financial situation and risk tolerance.

For personalized advice, please consult your legal, tax, or investment professional. Not all products are available in all regions. For more details, please refer to the OKX Terms of Service and Risk Disclosure & Disclaimer. The OKX Web3 mobile wallet and its derivative services are governed by separate terms of service. It is your responsibility to understand and comply with applicable local laws and regulations.