In a concerning development, the SlowMist Security Team has uncovered a widespread distribution of a fake Skype application on the Chinese internet, specifically targeting crypto investors. Given the restrictions on accessing international marketplaces within China, threat actors are capitalizing on this regulatory gap to flood the market with phishing applications, posing a significant risk to the crypto community.
Blockchain security firm SlowMist has identified a group of Chinese scammers circulating a counterfeit version of Skype, specifically version 188.8.131.523, designed for Android devices. This fraudulent application is being disseminated across various local marketplaces, including 51pgzs and siyuetian. The scammers employ deceptive tactics to convince victims that they are downloading a legitimate version of the popular video chat application.
Once the fake Skype application is installed, it initiates the extraction of images from various directories on the Android device while actively monitoring for any new images in real-time. Subsequently, all the collected images are uploaded to the backend interface controlled by the phishing gang.
SlowMist’s analysts have uncovered that the same gang behind the fake Skype application had previously targeted users in 2022 with a scam version of Binance. Both malicious applications share a similar backend domain, “bn-download3[dot]com,” indicating that this group is a repeat offender with a specific focus on targeting Web3.
In addition to compromising images, the malicious Skype application transmits various data to the attackers’ backend, including device information, user ID, and phone number. To exacerbate the situation, the fake Skype monitors incoming and outgoing messages, specifically searching for TRON or Ethereum-type address format strings. If detected, the scammers automatically replace these addresses with pre-configured ones.
SlowMist’s investigation revealed that the scammers’ TRON chain address had received nearly $193,000 in Tether (USDT) across 110 transactions. Notably, funds continue to flow in, with the most recent transaction recorded on November 8, 2023. Most of the stolen funds underwent laundering through BitKeep’s Swap service, with transaction fees covered by a user registered on the OKX crypto exchange, underscoring the sophisticated nature of this malicious operation.