Leading blockchain security firm SlowMist has warned users about a new phishing scam involving a fake Skype app. The incident highlights the growing trend of phishing attacks in the Web3 world, targeting not only wallets and exchanges but also popular social media applications like Skype.
Table of Contents
Analysis of fake Skype app
A victim who experienced fund theft after downloading a Skype App approached SlowMist. By analyzing the fake app provided by the victim, the security team discovered significant discrepancies in the app’s signature information, suggesting Chinese origins based on the ‘CN’ labels for both owner and publisher.
The counterfeit application, identifiable as version 18.104.22.1683, is notably different from Skype’s most recent version, 22.214.171.124. Upon closer examination by the team, it became apparent that the APK file had undergone unauthorized modifications, possibly to embed harmful code. A key finding was the use of ‘SecShell’, a feature of the Bangcle fortification, a common tactic among phishing gangs to avoid analysis.
The altered okhttp3 framework within the counterfeit application was designed to carry out harmful operations. It could extract images from Android devices and upload them to a phishing backend at ‘https://bn-download3.com’. The domain was found to have impersonated the Binance exchange before shifting to mimic a Skype backend, highlighting the gang’s targeted approach towards Web3 entities.
Their analysis showed that upon running the app, it requested permissions typical of social apps, which then enabled the illicit upload of images and sensitive user data. Interestingly, the app also monitored messages for cryptocurrency addresses, automatically replacing them with malicious addresses controlled by the phishing gang.
SlowMist swiftly added the harmful addresses to their blacklist, assigning them high-risk scores to reflect the serious level of threat they pose. Tracking through MistTrack revealed substantial amounts of USDT had been transferred to these addresses, with most funds already siphoned off through various services. SlowMist made no mention of any NFTs being stolen.
Extra caution warranted when downloading apps
Phishing methods involving counterfeit social media apps are a recurring theme in the team’s findings. The tactics employed are not only limited to uploading and altering data but also include more sinister actions like altering wallet transfer destinations.
It is strongly recommended that users remain vigilant and exclusively use authorized sources for downloading, as a means to steer clear of falling prey to these advanced deceptive schemes.