The world of crypto and Web3 is plagued with dangers associated with fake apps and phishing attempts, duping unsuspecting victims with the promise of quick and easy money.
An unfortunate incident has come to light in which a user lost his crypto after using a fake version of a hugely popular app, Skype.
Fake Skype App Steals Crypto
Blockchain security firm SlowMist brought the incident to light, describing an unfortunate incident where a user lost significant funds after using a fake version of a highly popular social platform, Skype. SlowMist has already published several articles analyzing phishing cases. According to the analysis, the user in question downloaded the app from an untrustworthy source online.
Preliminary investigations have revealed that the hackers behind the fake app and hack were the same Chinese hackers who were responsible for a similar fake Binance app. The group of hackers has a notorious reputation for targeting Web3 transactions. According to SlowMist, the attackers used a tried-and-tested phishing strategy to steal the user’s funds, with the fake Skype app asking the user for permission to access the users’ personal information.
Because of the inaccessibility of Google Play in China, users tend to search and download apps directly from the internet. The team warned that such fake apps were not just limited to wallets and exchanges but also social media platforms.
“However, the types of fake apps available online are not limited to just wallets and exchanges. Social media applications like Telegram, WhatsApp, and Skype are also heavily targeted.”
Users Don’t Suspect Foul Play
Users tend to treat the fake Skype app as any other social app, which is why they do not suspect any foul play and give the app the required permissions. After getting access, the app began to upload data, including images, device information, and phone numbers, to the hacker’s backend interface.
Following this, the app began tracking the users’ message history, scouring for words such as Ethereum (ETH), Crypto, and Tron (TRX). Such words would be checked to detect any crypto wallet. If the hackers found a crypto wallet, the hackers would replace the destination address with one set by the hackers themselves.
According to SlowMist, the malicious Tron address saw nearly 192,856 USDT deposited into it through 110 deposit transactions. Meanwhile, the ETH chain saw deposits of 7,800 USDT, deposited over 10 transactions. SlowMist has blacklisted the addresses in question but also urged users to exercise caution when downloading apps from the internet. It also urged users to download apps through official channels instead of risking downloads directly off the internet.
Fake App Analysis
SlowMist also revealed it conducted an analysis of the signature information of the fake Skype app, adding that the signature information of the fake app contains several anomalies and is different from that of a genuine app. The analysis revealed that the signature information of the fake app was quite simple, with the owner and publisher both labeled as CN. The analysis also revealed that the certificate’s effective date was 11th September 2023, meaning the app was not created too long ago.
“Since the APK’s certificate does not match, it indicates that this APK file has been tampered with and is likely injected with malicious code. Therefore, we began the process of decompiling and analyzing the APK. After analyzing the unencapsulated version, the SlowMist Security Team discovered that the fake app mainly modified a commonly used Android network framework, okhttp3, to perform various malicious operations. Since okhttp3 is a framework for handling Android traffic requests, all traffic requests are processed through okhttp3.”
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.