Binance fake-app scammers steal crypto funds via malicious Skype app: SlowMist

Blockchain security firm SlowMist revealed a new phishing attack involving a fake Skype app to steal crypto funds from an unsuspecting victim.

The victim contacted SlowMist directly, explaining that his funds were stolen after downloading what he thought was the Skype app from the internet. The scam underscores the vulnerability users face, especially in regions like China, where direct downloads are a substitute for unavailable official app stores, SlowMist said in its report.

“Due to the inaccessibility of Google Play in China, many users often resort to searching for and downloading apps directly from the internet,” SlowMist wrote. “However, the types of fake apps available online are not limited to just wallets and exchanges. Social media applications like Telegram, WhatsApp and Skype are also heavily targeted.”

SlowMist’s subsequent investigation revealed several red flags, with the app's certificate effective date hinting it was newly created in September and signature information pointing toward Chinese origin. A Baidu search found multiple sources of the fake app consistent with the one provided by the victim, SlowMist noted.

How the fake app stole crypto funds

The fake Skype app, camouflaged as the genuine video chat tool and injected with malicious code, monitors for and uploads files and images from users' devices in a bid to capture sensitive information.

Since apps like Skype are used to transfer files and make calls, users don’t usually suspect the activity, SlowMist said — enabling the attackers to obtain user permissions to upload the files, as well as device information, user IDs and phone numbers.

More specifically, the fake Skype app monitors incoming and outgoing messages to see if they contain Ethereum or Tron blockchain addresses. If detected, these are replaced with hardcoded and dynamic malicious addresses by the attackers, SlowMist said, in an attempt to route any payments to themselves instead.

The SlowMist team found one of the malicious Tron addresses used had received nearly 200,000 USDT ($200,000) over 110 deposit transactions, most recently on Nov. 8. It also identified an Ethereum address that received 7,800 USDT in 10 transactions that were transferred out using BitKeep’s swap service, with the transaction fees sourced from OKX.

However, the phishing interface’s backend has now been shut down and no longer returns malicious addresses, SlowMist noted.

The Binance fake app connection

Notably, the phishing domain linked to the app initially impersonated the crypto exchange Binance before switching to mimic Skype's backend in May. A series of fake domains using the format “bn-download[number].com” have specifically been used for Binance fake app phishing attacks, indicating the group's general focus on the lucrative web3 sector, SlowMist said.

SlowMist advised users to use official app download channels only and enhance their security awareness to mitigate the risk of falling victim to such phishing attacks.