Chinese cybercriminals exploit fake Skype app in new crypto phishing scheme
SlowMist exposes a rising phishing threat in China targeting cryptocurrency users. By capitalising on the nation's ban on international apps, cybercriminals exploit users seeking banned applications, specifically social media platforms like Telegram, WhatsApp, and Skype.
Highlights
- Scammers are exploiting China's ban on international applications to target crypto users
- The scammers are creating fake, cloned applications that are embedded with malware
- Crypto users in China need to be cautious and vigilant against phishing scams
A recent report from SlowMist, a crypto security analytics firm, has highlighted a new phishing scam emerging in China that specifically targets cryptocurrency users. The scammers exploit China's ban on international applications, taking advantage of users who search for banned applications on third-party platforms.
The phishing scheme
Social media applications like Telegram, WhatsApp, and Skype are commonly sought after by mainland Chinese users. The scammers create fake, cloned applications mimicking these popular platforms, embedding them with malware designed to compromise crypto wallets.
Analysis of the fake Skype app
The SlowMist team analysed a fake Skype application, noting its version (8.87.0.403) differed from the official version (8.107.0.215). The phishing back-end domain initially impersonated Binance, later changing to mimic a Skype domain. A user who fell victim to the scam reported a significant financial loss.
Malicious elements detected
Upon decompiling the fake app, the security team identified tampering with the commonly used Android network framework, ‘okhttp3.’ This modified framework, designed to target crypto users, requests access to internal files and images. As many social media apps commonly request these permissions, users may unknowingly grant them.
Data extraction and address manipulation
Once granted access, the fake Skype app uploads sensitive information, including images, device details, user ID, and phone number, to the phishing back end. The app then actively looks for images and messages with cryptocurrency address formats, replacing legitimate addresses with malicious ones predetermined by the phishing gang.
Detection & counteraction
During testing, SlowMist found that the wallet address replacement had ceased, and the phishing interface's back end was shut down, no longer providing malicious addresses. The team also identified specific cryptocurrency addresses linked to the scam and promptly flagged and blacklisted them.
Financial impact
The SlowMist team discovered that a TRON chain address received approximately 192,856 USDT until 8 November, with a total of 110 transactions. Simultaneously, an ETH chain address received about 7,800 USDT in 10 deposit transactions.
Crypto users in China are advised to exercise caution and be vigilant against phishing scams. Staying informed about the latest threats and being cautious when downloading applications can help protect against potential financial losses and unauthorised access to sensitive information.
SlowMist's proactive measures, including flagging and blacklisting, contribute to the ongoing efforts to combat such fraudulent activities.
