A new crypto scam, believed to be orchestrated by Chinese hackers utilizing a counterfeit Skype app to pilfer photos and deplete cryptocurrency wallets through a phishing attack, is targeting unsuspecting victims, as per a recent report from the blockchain ecosystem security company SlowMist.
The blockchain firm initiated its investigation into the matter after receiving a report from a victim who disclosed that his funds were stolen subsequent to using a Skype app downloaded from the internet.
The forged app, featuring a signature indicating its potential Chinese origin and found to be inconsistent with the official Skype app, was apparently designed to execute malicious operations by modifying okhttp3, the widely used Android network framework.
Delving further into the app, cybersecurity researchers discovered that, following the modification of okhttp3, the fake Skype app began requesting permission to access the device’s files, photo albums, and other data — permissions users typically grant without arousing suspicion.
“Since social apps need to transfer files and make calls, users generally do not suspect these activities. After obtaining user permissions, the fake Skype immediately begins uploading images, device information, user ID, phone number, and other information to the backend,” SlowMist said.
If any of the permissions are granted, the app proceeds to upload critical data such as user images, device information, phone numbers, and user ID to a phishing backend.
Furthermore, SlowMist’s investigation unveiled that a link used in a previous phishing attempt had a backend domain, bn-download3.com, indicating past impersonation of Binance.
Through manipulation of network traffic, the malicious actors behind this scam replaced official crypto wallet addresses with those under their control.
The report also disclosed that the fake Skype app inflicted substantial losses on its victims, with one of the addresses used by the malicious actors receiving approximately 192,856 USDT, equivalent to around $192,895, through 110 transactions.
“Using MistTrack for analysis, it was found that the TRON chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) had received approximately 192,856 USDT, with 110 deposit transactions. There is still a balance in this address, with the most recent transaction occurring on November 8,” the blockchain firm reported.
According to SlowMist, the malicious actors withdrew the stolen funds in batches using BitKeep’s Swap service, with transaction fees sourced from OKX.
“Users need to be more cautious when downloading and using apps, sticking to official download channels to avoid downloading malicious apps and suffering financial losses. In the blockchain’s ‘dark forest’ world, users must continuously enhance their security awareness to avoid being deceived,” SlowMist further said.