New Phishing Scam Targets Crypto Users in China Using Fake Skype App

In a concerning development, a new phishing scam has surfaced in China, posing a significant threat to cryptocurrency users. Reports from crypto security analytics firm SlowMist detail the emergence of a sophisticated scam that exploits the ban on international applications in China, a ban that has led many mainland users to seek out prohibited applications through third-party platforms.

The scammers, leveraging the popularity of social media applications like Telegram, WhatsApp, and Skype, have honed in on this vulnerability, targeting users with fake, cloned applications containing malicious software designed to attack cryptocurrency wallets.

SlowMist’s investigation uncovered a fake Skype application with the version number, a notable discrepancy from the legitimate Skype version, which stands at The phishing back-end domain, initially impersonating the Binance exchange on November 23, 2022, later shifted to mimic a Skype back-end domain on May 23, 2023.

The fraudulent Skype app came to light when a user reported losing a substantial amount of money to the scam. Upon further analysis, SlowMist’s security team discovered that the app’s signature had been tampered with to insert malware. The modified okhttp3, a commonly used Android network framework, was identified as the tool used to target crypto users.

The malicious okhttp3 framework operates by requesting users to grant access to internal files and images. Given that many social media applications routinely seek these permissions, users often overlook any potential malicious activity. Once granted access, the fake Skype app begins uploading a trove of sensitive information, including images, device details, user ID, and phone numbers, to the phishing gang’s back end.

One particularly alarming aspect of this scam is the method employed to target cryptocurrency transactions. The fake app actively seeks images and messages containing Tron (TRX) and Ether (ETH) tickers, with specific address formats. If detected, these addresses are automatically replaced with malicious addresses pre-set by the phishing gang.

During testing conducted by SlowMist, it was observed that the wallet address replacement had ceased. The phishing interface’s back end was shut down, indicating a temporary halt to the malicious activities. However, users are cautioned to remain vigilant, as cybercriminals may adapt their tactics and resume such attacks in the future.

This incident underscores the importance of heightened cybersecurity awareness, especially in the cryptocurrency community. Users are advised to exercise caution when downloading applications from third-party sources and to rely on official channels for software updates. As the digital landscape evolves, staying informed and adopting robust security practices are crucial in safeguarding against emerging threats.

Read more:

Join us on Telegram

Follow us on Twitter

Follow us on Facebook

Follow us on Reddit

You might also like