Chinese hackers have reportedly launched a new phishing scam targeting crypto users in China, using a fake Skype video app as a disguise. Crypto security analytics firm SlowMist uncovered the scam, revealing that the hackers capitalized on China’s ban on international applications. Many users in mainland China often search for banned applications through third-party platforms.
In this phishing scam, social media applications like Telegram, WhatsApp, and Skype were imitated with fake, cloned applications containing malware designed to attack crypto wallets. SlowMist’s analysis discovered a recently created fake Skype application with version 18.104.22.1683, while the latest official version of Skype is 22.214.171.124.
The phishing back-end domain, “bn-download3.com,” initially impersonated Binance on November 23, 2022, and later changed to mimic a Skype back-end domain on May 23, 2023. The fake Skype app was first reported by a user who incurred significant financial losses from the scam.
Upon decompiling the fake app, SlowMist found that the app’s signature had been tampered with to insert malware. The modified okhttp3 network framework was used to target crypto users. This framework, which usually handles Android traffic requests, was altered to obtain images from various directories on the phone and monitor for new images in real time.
The fake Skype app, once granted access, begins uploading images, device information, user IDs, phone numbers, and other details to the back end. It continuously looks for images and messages with Tron (TRX) and Ether (ETH)-like address format strings. If such addresses are detected, they are automatically replaced with malicious addresses pre-set by the phishing gang.
SlowMist’s testing revealed that the wallet address replacement had ceased, with the phishing interface’s back end shut down and no longer returning malicious addresses. The team also identified a Tron chain address that received approximately 192,856 Tether (USDT) and an ETH chain address that received about 7,800 USDT.
SlowMist flagged and blacklisted all wallet addresses associated with the phishing scam.