Fake Skype App Phishing Analysis

By: Yao
backgroundFake App phishing incidents are very frequent in the Web3 world, and the SlowMist Security Team has previously published related phishing analysis articles. Since Google Play cannot be directly accessed in China, many users often choose to search and download the apps they want to use directly online. However, the types of fake apps flooding the Internet are no longer limited to wallets and exchanges. Social software such as Telegram, WhatsApp and Skype are also severely affected.
Recently, a victim contacted the SlowMist security team. According to his description, his funds were stolen after he used the Skype App downloaded from the Internet. So we analyzed the fake Skype phishing sample provided by the victim.
Fake Skype App AnalysisFirst, analyze the signature information of the fake Skype. Generally, the signature information of fake apps contains abnormal content and is quite different from the real apps.
We can see that the signature information of this fake app is relatively simple, with almost no content, and the owner and publisher are both "CN". Based on this information, it can be preliminarily determined that the phishing production group is likely to be Chinese, and based on the certificate effective date of 2023.9.11, it can also be inferred that this app was not produced long ago. Further analysis also found that the version used by this fake app is 8.87.0.403, while the latest version of Skype is now 8.107.0.215.
Using Baidu search, we found multiple identical fake Skype versions’ release channel sources, and the signature information was consistent with that provided by the victims.
Download the real 8.87.403 version of Skype to compare the certificates:
Since the APK's certificate was inconsistent, it meant that the APK file had been tampered with and was likely to have been injected with malicious code, so we began to decompile and analyze the APK.
"SecShell" is a feature of APK after being shelled using BangBang hardening. This is also a common defense method for fake apps. Phishing gangs often add a layer of shell to fake apps to prevent them from being analyzed.
After analyzing the unpacked version, the SlowMist security team found that the fake App mainly modified okhttp3, a commonly used network framework in Android, to perform various malicious operations. Since okhttp3 is the framework for Android traffic requests, all traffic requests will be processed by okhttp3.
The modified okhttp3 will first obtain the images in each directory of the Android mobile device and monitor in real time whether there are any new images.
The obtained pictures will eventually be uploaded to the phishing gang’s backend interface through the Internet: https://bn-download3.com/api/index/upload.
Through the asset mapping platform of Weibu Online, it was found that the phishing backend domain name "bn-download3.com" had impersonated the Binance Exchange on November 23, 2022, and did not start impersonating the backend domain name of Skype until May 23, 2023:
Further analysis revealed that “bn-download[number]” is a fake domain name used by the phishing group specifically for Binance phishing, which shows that this phishing group is a repeat offender and specifically targets Web3.
By analyzing the network request packet traffic, after running and opening the fake Skype, the modified okhttp3 will start to apply for permissions to access files and photo albums. Since social apps need to transfer files and make calls, ordinary users are not wary of these behaviors. After obtaining user permissions, the fake Skype immediately starts uploading pictures, device information, user name ID, mobile phone number and other information to the backend:
Through traffic layer analysis, the tested device mobile phone has 3 pictures, so we can see that there are 3 upload requests on the traffic.
At the beginning of the operation, the fake Skype will also request the USDT list from the interface (https://bn-download3.com/api/index/get_usdt_list2?channel=605), but during analysis, it was found that the server returned an empty list:
Following up on the code, we found that the fake Skype will monitor the matching sent and received messages to see if there are TRX and ETH type address format strings. If they are matched, they will be automatically replaced with the malicious address preset by the phishing gang:
The relevant malicious addresses are as follows:
TRX:
TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB
TEGtKLavujdMrYxQWAsowXqxUHMdurUhRP
ETH: 
0xF90acFBe580F58f912F557B444bA1bf77053fc03
0x03d65A25Db71C228c4BD202C4d6DbF06f772323A
In addition to the hardcoded addresses, the fake Skype also dynamically obtains malicious addresses through the interface “https://bn-download8.com/api/index/reqaddV2”.
When testing the fake Skype address sent to another account, it was found that the address replacement would not be performed, and the phishing interface background interface had been closed to return the malicious address.
At this point in the analysis, combined with the phishing domain name, the interface path of the website backend and the date and time, we linked it to the fake Binance App analysis "Li Kui or Li Gui? Fake Binance App Phishing Analysis" released on November 8, 2022. After analysis, we found that the two incidents were actually committed by the same phishing gang.
More phishing domain names were found by reverse looking up the domain names through IP.
Malicious address analysisThe SlowMist security team blacklisted the malicious addresses immediately after analyzing them, so the risk scores of the above addresses are currently 100 points, which is a serious risk.
MistTrack analysis shows that the TRON chain address (TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB) has received a total of about 192,856 USDT, with 110 deposit transactions. There is still a balance in the address, and the most recent transaction was on November 8.
Continuing to track the withdrawal records, I found that most of the funds had been transferred out in batches.
Continue to use MistTrack to analyze the ETH chain address (0xF90acFBe580F58f912F557B444bA1bf77053fc03). This address has received about 7,800 USDT in total, with 10 deposit transactions. All funds have been transferred, and the most recent transaction was on July 11.
Further analysis revealed that most of the funds were transferred out through BitKeep's Swap, and the source of the transaction fees was OKX.
SummarizeThe phishing method shared this time was implemented through a fake social software app. The SlowMist security team has also disclosed many similar cases. Common behaviors of fake apps include uploading files and pictures from mobile phones, uploading data that may contain sensitive information of users, and maliciously replacing network transmission content, such as modifying the destination address of wallet transfers in this article. This method is common in fake Telegram and fake exchange apps.
When downloading and using APP, users still need to confirm from multiple parties and identify the official download channels to avoid downloading malicious APPs and causing financial losses. The blockchain dark forest world requires users to continuously improve their security awareness and avoid being deceived. For more security knowledge, it is recommended to read the "Blockchain Dark Forest Self-Guard Handbook" produced by the SlowMist Security Team: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md.