A new phishing scheme has emerged in China, specifically targeting cryptocurrency users. This fraudulent operation utilizes a counterfeit Skype video app to carry out its malicious activities.
According to a report by SlowMist, a crypto security analytics firm, the scammers behind this scheme have capitalized on China’s ban on international applications as the foundation of their fraud.
Many mainland users often resort to third-party platforms to search for these banned applications, making them susceptible targets.
Mainland users frequently seek social media applications like Telegram, WhatsApp, and Skype, which are among the most commonly searched for applications.
Scammers exploit this vulnerability by distributing fake, cloned applications embedded with malware designed to attack cryptocurrency wallets.
SlowMist’s analysis unveiled that the fraudulent Skype application, which was recently created, displayed a version number of 8.87.0.403. In contrast, the latest official Skype version is 8.107.0.215.
The security team also identified that the phishing back-end domain initially impersonated the Binance exchange on November 23, 2022, but later transformed to mimic a Skype back-end domain on May 23, 2023.
The existence of this fake Skype app was first brought to light by a user who fell victim to the scam and lost a substantial amount of money.
Further investigation of the fake app’s signature revealed that it had been tampered with to insert malware.
READ MORE: FTX Bankruptcy Estate Files $1 Billion Lawsuit Against ByBit and Executives
Upon decompiling the app, the security team discovered a modified Android network framework called “okhttp3,” which was adapted to target cryptocurrency users.
The modified okhttp3 framework, unlike the default version that handles regular Android traffic requests, obtains images from various directories on the user’s device and monitors for new images in real time.
The malicious okhttp3 requests users to grant access to internal files and images, a request that often goes unnoticed as many social media applications require similar permissions.
Subsequently, the fake Skype app commences uploading images, device information, user IDs, phone numbers, and other data to its back end.
Once the fake app gains access, it continuously scans for images and messages containing strings resembling cryptocurrency addresses, such as those for TroN and Ether.
If such addresses are detected, the fake app automatically replaces them with pre-set malicious addresses chosen by the phishing gang.
However, as of November 8, SlowMist’s testing revealed that the wallet address replacement had ceased, and the phishing interface’s back end was no longer returning malicious addresses.
The SlowMist team promptly flagged and blacklisted all wallet addresses associated with this scam to protect potential victims from falling prey to the scheme.
