A new phishing scam has emerged in China that uses a fake Skype video app to target crypto users.
According to a report by crypto security analytics firm SlowMist, the Chinese hackers behind the phishing scam used China’s ban on international applications as the basis of their fraud, with many mainland users often searching for these banned applications via third-party platforms.
Social media applications such as Telegram, WhatsApp and Skype are some of the most common applications searched for by mainland users, so scammers often use this vulnerability to target them with fake, cloned applications containing malware developed to attack crypto wallets.
In its analysis, the SlowMist team found that the recently created fake Skype application displayed version 8.87.0.403, while the latest official version of Skype is 8.107.0.215. The team also discovered that the phishing back-end domain “bn-download3.com” impersonated the Binance exchange on Nov. 23, 2022, later changing to mimic a Skype back-end domain on May 23, 2023. The fake Skype app was first reported by a user who lost “a significant amount of money” to the same scam.
The fake app’s signature revealed that it had been tampered with to insert malware. After decompiling the app, the security team discovered a modified commonly used Android network framework, “okhttp3,” to target crypto users. The default okhttp3 framework handles Android traffic requests, but the modified okhttp3 obtains images from various directories on the phone and monitors for any new images in real time.
The malicious okhttp3 requests users to give access to internal files and images, and as most social media applications ask for these permissions anyway, they often don’t suspect any wrongdoing. Thus, the fake Skype immediately begins uploading images, device information, user ID, phone number and other information to the back end.
Once the fake app has access, it continuously looks for images and messages with Tron (TRX) and Ether (ETH)-like address format strings. If such addresses are detected, they are automatically replaced with malicious addresses pre-set by the phishing gang.
During SlowMist testing, it was found that the wallet address replacement had stopped, with the phishing interface’s back end shut down and no longer returning malicious addresses.
Related: 5 sneaky tricks crypto phishing scammers used last year
The team also discovered that a Tron chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) had received approximately 192,856 Tether (USDT) by Nov. 8, with a total of 110 transactions made to the address. At the same time, another ETH chain address (0xF90acFBe580F58f912F557B444bA1bf77053fc03) received approximately 7,800 USDT in 10 transactions.
The SlowMist team flagged and blacklisted all wallet addresses linked to the scam.
Magazine: Thailand’s $1B crypto sacrifice, Mt. Gox final deadline, Tencent NFT app nixed
Read More: cointelegraph.com
Bitcoin 
Ethereum 
Tether 
BNB 
Solana 
USDC 
Lido Staked Ether 
XRP 
Dogecoin 
Toncoin 
Cardano 
Shiba Inu 
Avalanche 
TRON 
Wrapped Bitcoin 
Bitcoin Cash 
Polkadot 
Chainlink 
NEAR Protocol 
Polygon 
Litecoin 
Internet Computer 
Uniswap 
LEO Token 
Dai 
First Digital USD 
Ethereum Classic 
Aptos 
Hedera 
Stacks 
Mantle 
Cronos 
Stellar 
Cosmos Hub 
Filecoin 
Renzo Restaked ETH 
OKB 
Render 
Immutable 
XT.com 
Pepe 
Arbitrum 
VeChain 
Bittensor 
Optimism 
dogwifhat 
Maker 
Wrapped eETH 
The Graph 
Kaspa