Impossible to prevent Analysis of the fake Skype App phishing

Unavoidable Analysis of Phishing from Fake Skype App

Background

Phishing incidents involving fake apps in the Web3 world are very frequent, and the SlowMist security team has previously released related analysis articles. Since Google Play cannot be directly accessed in China, many users often choose to search and download the apps they want to use online. However, the types of fake apps found online are not limited to wallets and exchanges anymore; social apps like Telegram, WhatsApp, and Skype are also heavily targeted.

Recently, a victim contacted the SlowMist security team. According to his description, his funds were stolen after using a Skype app downloaded online. Therefore, we conducted an analysis based on the fake Skype sample provided by the victim.

Analysis of Fake Skype App

Firstly, let’s analyze the signature information of the fake Skype app. Generally, fake apps have abnormal signature information, which is significantly different from genuine apps.

• Ukraine’s Crypto Misfortune: A $49 Billion Comedy of Regulatory Errors
• UBS Group AG Takes a Leap into Crypto ETFs, Hong Kong Paves the Way
• BlackRock iShares Ethereum Trust Takes Delaware by Storm!

We can see that the signature information of this fake app is quite simple, with almost no content, and the owner and publisher are both “CN”. Based on this information, we can preliminarily determine that the phishing group behind this app is likely to be Chinese. Additionally, based on the certificate’s effective date of 2023.9.11, we can infer that the app has not been in production for long. Further analysis reveals that this fake app uses version 8.87.0.403, while the latest version of Skype is 8.107.0.215.

A Baidu search reveals multiple sources for the same fake Skype version, with signature information consistent with the one provided by the victim.

Download the genuine 8.87.403 version of Skype for certificate comparison:

Due to the inconsistent certificates of the APK file, it is evident that the APK file has been tampered with and likely injected with malicious code. As a result, we began decompiling and analyzing the APK.

“SecShell” is a feature added by the Bangcle protection to the APK. This is a common defense tactic for fake apps, as phishing groups often add a layer of protection to prevent analysis.

After analyzing the decompiled version, the SlowMist security team found that the fake app mainly modified the commonly used Android networking framework, okhttp3, to perform various malicious operations. As okhttp3 is the framework for Android traffic requests, all traffic requests go through okhttp3 for processing.

The modified okhttp3 first obtains images from various directories on the Android device and monitors if there are any newly added images in real-time.

The obtained images are ultimately uploaded to the phishing group’s backend interface through the network: https://bn-download3.com/api/index/upload.

Through the asset mapping platform of Wei Bu Online, it was discovered that the phishing backend domain “bn-download3.com” impersonated Binance Exchange on November 23, 2022, and only started impersonating Skype’s backend domain on May 23, 2023:

Further analysis found that “bn-download [number]” is a fake domain used by the phishing group specifically for Binance fishing. It can be seen that this phishing group is habitual and specifically targets Web3.

By analyzing network request packet traffic, once the fake Skype is opened, the modified okhttp3 will start requesting permissions to access files, photo albums, etc. Since social apps require file transfers and calls, regular users are generally not wary of these behaviors. After obtaining user permissions, the fake Skype immediately starts uploading images, device information, username ID, phone numbers, and other information to the backend:

Through traffic layer analysis, it was found that the tested device had 3 images, so there were 3 upload requests in the traffic.

At the beginning of the run, the fake Skype also requests the USDT list from the API (https://bn-download3.com/api/index/get_usdt_list2?channel=605), but during the analysis, it was found that the server returns an empty list:

Follow-up code reveals that the fake Skype monitors whether the matching sent and received messages contain TRX and ETH format strings for addresses. If matched, they will be automatically replaced with the malicious addresses preset by the phishing group:

The related malicious addresses are as follows:

TRX:

TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB

TEGtKLavujdMrYxQWAsowXqxUHMdurUhRP

ETH:

0xF90acFBe580F58f912F557B444bA1bf77053fc03

0x03d65A25Db71C228c4BD202C4d6DbF06f772323A

In addition to hardcoded addresses, the fake Skype also dynamically obtains malicious addresses through the “https://bn-download8.com/api/index/reqaddV2” interface.

Currently, when sending addresses to another account, the fake Skype no longer performs address replacement, as the phishing backend interfaces have been closed and return malicious addresses.

With this analysis, combined with the phishing domain, website backend interface paths, and date and time, we have linked it to the analysis of the fake Binance App published on November 8, 2022, titled “Li Kui or Li Gui? Fake Binance APP Phishing Analysis.” After analysis, it was discovered that these two incidents were carried out by the same phishing group.

More phishing domains were discovered by reverse looking up the IP to domain.

Malicious Address Analysis

Upon analyzing the malicious addresses, the Slow Mist security team promptly blacklisted them, resulting in a risk score of 100 for the mentioned addresses, indicating severe risk.

Using MistTrack for analysis, it was found that the TRON chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) received approximately 192,856 USDT with 110 deposit transactions. The address still holds a portion of the balance, with the most recent transaction occurring on November 8th.

Continued tracking and reviewing the withdrawal records revealed that the majority of the funds have been transferred in batches.

Further analysis using MistTrack identified an ETH chain address (0xF90acFBe580F58f912F557B444bA1bf77053fc03) that received approximately 7,800 USDT with 10 deposit transactions. All the funds have been fully transferred, with the most recent transaction occurring on July 11th.

Continuing the analysis, it was found that most of the funds were transferred out using BitKeep’s Swap feature, with the transaction fees sourced from OKX.

Summary

The phishing approach shared in this case was carried out through fake social networking apps. The Slow Mist security team has disclosed multiple similar cases. Common behaviors of fake apps include uploading files and images from mobile phones and modifying the destination addresses of wallet transfers. Such techniques are commonly observed in fake Telegram or fake exchange apps.

Users need to exercise caution when downloading and using apps, ensuring to rely on official download channels to avoid downloading malicious apps that could result in financial losses. In the dark forest world of blockchain, it is crucial for users to constantly enhance their security awareness and avoid falling victim to scams. For more security knowledge, it is recommended to read the “Blockchain Dark Forest Self-Guard Handbook” by Slow Mist security team: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!