New Scam Using Skype's Fake App To Target Crypto Users In China

JAKARTA - A new phishing scheme has emerged in China that uses Skype's fake video app to target crypto users. According to a report from crypto security analysis firm SlowMist, the Chinese hackers behind this phishing scheme use China's ban on international applications as their basis for fraud, where many users in mainland China often look for these banned applications through third-party platforms.

Social media applications such as Telegram, WhatsApp, and Skype are some of the most common applications sought after by users in mainland China, so fraudsters often use this vulnerability to target them with fake apps containing malware developed to attack crypto wallets.

In its analysis, the SlowMist team discovered that the recently created Skypen fake app featured version 8.87.0.403, while the latest version of Skype was 8.107.0.215. The team also found that the back domain of "bn-download3.com" phishing disguised itself as the Binance exchange on November 23, 2022, then changed to mimic Skype's back domain on May 23, 2023. The Skype's fake app was first reported by a user who lost "a large amount of money" due to a similar scheme.

The signature of the fake app shows that it has been manipulated to insert malware. After decompiled the app, the security team found the common Android network framework used, "okhttp3," which was modified to target crypto users. The default octtp3 framework handles Android traffic requests, but modified octtp3 gets images from various dips on mobile phones and monitors each new image in real-time.

Dangerous Okhttp3 asks users' permission to access internal files and images, and because most social media apps ask for this permission, users often don't suspect fraud. Therefore, Skype's fake app will immediately start uploading images, device information, user ID, phone number, and other information to the back.

Once a fake app gains access, it continues to search for images and messages with Tron-like (TRX) and Ether (ETH) address formats. If these addresses are detected, they are automatically replaced with malicious addresses that have been designated by phishing groups.

During testing by SlowMist, it was found that a wallet address replacement had stopped, with the back center of the phishing interface closed and no longer returning its addresses to dangerous.

The SlowMist team also found that a Tron chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) had received about 192,856 Tether (USDT) on November 8, with a total of 110 transactions to that address. At the same time, another ETH chain address (0xF90acFBe580F59f912F557B44bA1bf77053fc03) received approximately 7,800 USDT in 10 transactions.

The SlowMist team recorded and blacklisted all wallet addresses related to the fraud.