On February 14, 2025, many users reported that their wallet assets were stolen. After on-chain data analysis, the theft cases all met the characteristics of mnemonic/private key leakage. After further revisiting the victim users, it was found that most of them had installed and used an application called BOM. In-depth investigations showed that the application was actually a carefully disguised fraud software. After the criminals induced users to authorize through the software, they illegally obtained mnemonic/private key permissions, and then implemented systematic asset transfers and concealment. Therefore, the SlowMist AML team and the OKX Web3 security team investigated and disclosed the modus operandi of the malware, and conducted on-chain tracking analysis, hoping to provide more users with security warnings and suggestions.
1. Malware Analysis (OKX)
With the users consent, the OKX Web3 security team collected the apk files of the BOM application on some users phones for analysis. The details are as follows:
1. Conclusion
1. After entering the contract page, the malicious app deceives users into authorizing local file and album permissions on the grounds that it is necessary for the application to run.
2. After obtaining user authorization, the app scans and collects media files in the devices photo album in the background, packages them and uploads them to the server. If the users files or photo albums contain information related to mnemonics and private keys, criminals may use the relevant information collected by the app to steal the users wallet assets.
2. Analysis process
1. Preliminary analysis of samples
1) Application signature analysis
The signature subject is not standardized. After parsing, it is adminwkhvjv, which is a bunch of meaningless random characters. Normal applications usually use a meaningful combination of letters.
2) Malicious permissions analysis
In the AndroidManifest file of the app, we can see that a large number of permissions are registered, including some information-sensitive permissions, including reading and writing local files, reading media files, and photo albums.
2. Dynamic Analysis
Because the apps backend interface service was offline during analysis, the app could not run normally and dynamic analysis could not be performed for the time being.
3. Decompilation analysis
After decompilation, we found that the number of classes in the dex of this application was very small, and we performed static analysis on these classes at the code level.
Its main logic is to decrypt some files and load the application:
The product files of uniapp are found in the assets directory, indicating that the app was developed using the cross-platform framework uniapp:
The main logic of the application developed under the uniapp framework is in the product file app-service.js. Some key codes are encrypted in app-confusion.js. We mainly start the analysis from app-service.js.
1) Trigger entry
At the entrance of each registration page, I found the entrance called contract page
The corresponding function index is 6596
2) Initialization reporting of device information
The callback onLoad() after the contract page is loaded will call doContract()
initUploadData() is called in doContract()
In initUploadData(), the network status will be checked first, and the image and video lists will also be checked to see if they are empty. Finally, the callback e() will be called.
The callback e() is getAllAndIOS(),
3) Check and request permissions
Here, iOS will first request permissions and deceive users into agreeing with the copy that the application needs to run normally. The request for authorization here is quite suspicious. As a blockchain-related application, its normal operation has no necessary connection with the permissions of the photo album. This request obviously exceeds the normal requirements for the operation of the application.
On Android, you also need to determine and apply for photo album permissions first.
4) Collect and read album files
Then read the pictures and videos in androidDoingUp and package them.
5) Upload album files
Finally, upload the file in uploadBinFa(), uploadZipBinFa() and uploadDigui(). You can see that the upload interface path is also a random string of characters.
The iOS process is similar. After obtaining the permission, iOS starts collecting uploaded content through getScreeshotAndShouchang().
6) Upload interface
The commonUrl domain name in the reported URL comes from the return of the /api/bf 9023/c 99 so interface.
The domain of this interface comes from the local cache of uniapp.
The code for writing to the cache was not found. It may be encrypted and obfuscated and exists in app-confusion.js. The domain was seen in the application cache during a historical run.
2. On-chain Funding Analysis (SlowMist)
According to the analysis of MistTrack, an on-chain tracking and anti-money laundering tool under SlowMist AML, the current main coin theft address (0x49aDd3E8329f2A2f507238b0A684d03EAE205aab) has stolen funds from at least 13,000 users and made a profit of more than 1.82 million US dollars.
(https://dune.com/queries/4721460)
The first transaction of the address 0x49aDd3E8329f2A2f507238b0A684d03EAE205aab occurred on February 12, 2025, and 0.001 BNB was transferred from the address 0x9AEf1CA082c17f9D52Aa98ca861b50c776dECC35 as the initial capital:
Analyzing the address 0x9AEf1CA082c17f9D52Aa98ca861b50c776dECC35, the first transaction of this address also appeared on February 12, 2025. Its initial funds came from the address 0x71552085c854EeF431EE55Da5B024F9d845EC976 marked as Theft-Stolen Private Key by MistTrack:
Continue to analyze the funds flow of the initial hacker address 0x49aDd3E8329f2A2f507238b0A684d03EAE205aab:
BSC: Profit of about $37,000, including USDC, USDT, WBTC and other currencies, often using PancakeSwap to exchange some tokens for BNB:
The current address balance is 611 BNB and tokens worth approximately $120,000, such as USDT, DOGE, and FIL.
Ethereum: Profit of about $280,000, most of which came from ETH transferred from other chains. Then 100 ETH was transferred to 0x7438666a4f60c4eedc471fa679a43d8660b856e0. This address also received 160 ETH transferred from the above address 0x71552085c854EeF431EE55Da5B024F9d845EC976. A total of 260 ETH has not been transferred out yet.
Polygon: Profit of about 37,000 or 65,000 US dollars, including WBTC, SAND, STG and other currencies. Most of the tokens have been exchanged for 66,986 POL through OKX-DEX. The current balance of the hacker address is as follows:
Arbitrum: Profit of about $37,000, including USDC, USDT, WBTC and other currencies, tokens converted to ETH, a total of 14 ETH cross-chain to Ethereum through OKX-DEX:
Base: Profit of about $12,000, including FLOCK, USDT, MOLLY and other currencies, tokens converted to ETH, a total of 4.5 ETH cross-chain to Ethereum through OKX-DEX:
The remaining chains will not be described in detail. We also made a brief analysis of another hacker address provided by the victim.
The first transaction of the hacker address 0xcb6573E878d1510212e84a85D4f93Fd5494f6EA0 appeared on February 13, 2025, with a profit of about 650,000 US dollars, involving multiple chains, and the relevant USDT was cross-chain to the TRON address TFW52pZ3GPPUNW847rdefZjqtTRxTCsdDx:
The address TFW52pZ3GPPUNW847rdefZjqtTRxTCsdDx received a total of 703,119.2422 USDT, with a balance of 288,169.2422 USDT, of which 83,000 USDT was transferred to the address TZJiMbiqBBxDXhZXbrtyTYZjVDA2jd4eus and was not transferred out, and the remaining 331,950 USDT was transferred to the address THKqT6PybrzcxkpFBGSPyE11kemRNRmDDz that had interacted with Huionepay.
We will continue to monitor the relevant balance addresses.
3. Safety Recommendations
To help users improve their protection awareness, the SlowMist AML team and the OKX Web3 security team have compiled the following security recommendations:
1. Never download software from unknown sources (including so-called wool-pulling tools and any software from unknown publishers).
2. Never trust software download links recommended by friends or communities, always download from official channels.
3. Download and install apps from regular channels, including Google Play, App Store, and major official app stores.
4. Keep the mnemonics properly and do not save them by taking screenshots, taking photos, saving them in a notepad, or using a cloud disk. The OKX wallet mobile app has prohibited screenshots of the private key and mnemonics pages.
5. Use physical methods to save mnemonics, such as copying them on paper, saving them in hardware wallets, segmented storage (split the mnemonics/private keys and store them in different locations), etc.
6. Change your wallet regularly. If possible, changing your wallet regularly can help eliminate potential security risks.
7. Use professional on-chain tracking tools, such as MistTrack (https://misttrack.io/), to monitor and analyze funds, reduce the risk of fraud or phishing, and better protect asset security.
8. It is highly recommended to read Blockchain Dark Forest Self-Rescue Manual written by Yu Xian, the founder of SlowMist.
Disclaimer
This content is for reference only and does not constitute and should not be considered as (i) investment advice or recommendation, (ii) an offer or solicitation to buy, sell or hold digital assets, or (iii) financial, accounting, legal or tax advice. We do not guarantee the accuracy, completeness or usefulness of such information. Digital assets (including stablecoins and NFTs) are subject to market fluctuations, involve high risks, may depreciate in value, or even become worthless. You should carefully consider whether trading or holding digital assets is suitable for you based on your financial situation and risk tolerance. Please consult your legal/tax/investment professional for your specific situation. Not all products are available in all regions. For more details, please refer to the OKX Terms of Service and Risk Disclosure Disclaimer. OKX Web3 Mobile Wallet and its derivative services are subject to separate terms of service. Please be responsible for understanding and complying with local applicable laws and regulations.
