Phishing Scam Uses Fake Skype App to Target Crypto Users in China
Summary:
A newly discovered phishing scam in China, involving a fraudulent Skype video app, targets cryptocurrency users, according to crypto security analytic firm SlowMist. Exploiting China's ban on certain international apps, scammers trick users into downloading cloned apps riddled with malware. The fake Skype app duplicates a commonly used Android network framework, okhttp3, granting access to user data and potentially replacing crypto-related addresses with fraudulent ones. The scam has already led to significant financial losses. Security investigators have blacklisted over 100 malicious addresses linked to the scam.
A newly discovered phishing tactic in China uses a fraudulent Skype video app to lure victims, according to a report from SlowMist, a cryptocurrency security analytics company. This scam, suspected to be led by Chinese hackers, capitalizes on the Chinese ban of international applications. Most mainland users often turn to third-party platforms in search of these banned applications. Social media apps like Telegram, WhatsApp, and Skype make up the majority of searched applications, providing an opportunity for fraudsters using cloned apps fraught with harmful malware targeted at cryptocurrency wallets.
From examining search results for Skype from Baidu and analyzing the scam, SlowMist found a phony Skype app with a different version number (8.87.0.403) from the real Skype app (8.107.0.215). The phishing scam also impersonated Binance exchange on Nov. 23, 2022, before transitioning to mimic the Skype backend domain on May 23, 2023. This fraudulent Skype app was first reported by a victim who lost a substantial sum to the scam.
The booby-trapped app, after further exploration by the security team, was unveiled to manipulate Android’s okhttp3 network framework to target cryptocurrency users. Android traffic requests are typically handled by okhttp3. However, the manipulated okhttp3 accesses images from various phone directories and detects new images in real-time.
Users are prompted to grant the harmful okhttp3 permission to internal files and pictures, which is a common request made by most social media apps. Consequently, unknowing users grant permissions, enabling the counterfeit Skype to upload images, device info, user ID, phone numbers, and more to its backend. The fake app ceaselessly scans for images or messages resembling TRX and ETH-like address format strings. If detected, they are replaced with harmful addresses controlled by the phishing group.
During their investigation, SlowMist identified that the wallet address substitution had ended and the phishing interface's backend was deactivated. They also identified a TRON chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) that had received about 192,856 USDT via 110 transactions until Nov. 8. Concurrently, an Ethereum chain address (0xF90acFBe580F58f912F557B444bA1bf77053fc03) received roughly 7,800 USDT from 10 separate deposits. In total, the investigators uncovered over 100 malicious addresses related to this scam and subsequently blacklisted them.
Published At
11/13/2023 10:54:21 AM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.