Cointime

Cointime

Download App
iOS & Android

BombFlower Backdoor: Uncovering an Evasive Fake Wallet Campaign

Validated Project

The world of Web3 and cryptocurrency is constantly evolving, and with that evolution comes new and sophisticated threats to the community. One such threat is the proliferation of fake wallets, which are designed to trick users into giving away their valuable assets. These fake wallets are a consistent problem for the Web3 community, and it takes a dedicated effort to identify and expose them.

CertiK has recently identified an organized scammer group that is actively deploying fake wallets in order to fool users. This group, which we have named BombFlower, stands out due to the particular evasive anti-forensic feature used by the group. Due to the use of these evasive techniques, the fake wallet mobile Apps are largely ignored by the popular mobile malware detectors.

In this article, we will present a brief overview of the behavior of this group and the steps that CertiK has taken to identify and expose them. We hope the article can provide valuable insights for the Web3 community to help them stay safe and secure in the face of these threats.

Overview

As part of our research, we have been tracking the instances of fake wallets deployed by the BombFlower group. The BombFlower deployed their fake wallets as early as October 2021, and it continues to be active in early 2023. The figure below illustrates the fake wallet hosting timeline by this campaign, including the specific wallets that have been affected.

 Figure 1. Timeline of wallets spoofed by the BombFlower campaign

The BombFlower group employs deceptive tactics to trick users into downloading their fake wallets. They typically host these fake wallets on sites that are designed to closely resemble legitimate ones. As seen in the figures below, using Trust Wallet as an example, these phishing sites use similar designs and layouts to the original ones, with only slight variations in the domain name. This makes it difficult for users to distinguish between the fake and legitimate sites.

 Figure 2. BombFlower's phishing websites look very similar to official websites

Technical Details of the BombFlower Backdoor

Fake wallets have been a persistent threat in the web3 community. Typically, these fake wallets include backdoors that hook into the mnemonic phrase generation function to directly inject malicious code into the wallet's javascript code (e.g. index.android.bundle) or in the smali code. Previous research on the SeaFlower Group has provided substantial details on this type of backdoor.

The BombFlower backdoor, however, is different from previous fake wallet malware. Its distinct feature is that it includes another app binary inside the trojaned binary. The "real" fake wallet is actually hidden inside the BombFlower app. As shown in the figure below, the first abnormal behavior of the BombFlower malware is to extract a binary (in this case "bitkeep.apk") from its internal memory and then install this trojaned APK in a virtual client environment within the BombFlower app.

 Figure 3. Extracting and launching “bitkeep.apk” inside the BombFlower app

Those users that mistakenly downloaded and installed the BombFlower app actually interact with this internal trojaned app and then their private key or mnemonic phrases are stolen from the device's memory.

 Figure 4. The backdoor extracts the secret

The image below shows how the key information was copied from internal memory and sent to a server controlled by the attacker. This process is captured from the network traffic, which is shown in the figures below.

 Figure 5. User's mnemonic phrase is uploaded to the backdoored app's server

This is just a brief summary of some of the unique backdoor behavior of the BombFlower fake wallet. During our study, we have found multiple sophisticated abnormal behaviors in these trojanized mobile apps. In this article, we will only cover the outstanding features that capture the main behavior of this family. We will have a follow-up article that will disclose the other abnormal behaviors of this fake wallet malware family.

Unique Features of the BombFlower Family

ZipBomb

The BombFlower group is notable for its use of a unique anti-forensic technique known as a "ZipBomb." This technique is used to evade detection and analysis by researchers. In certain samples deployed by the group, the fake wallet binary contains a hidden zip bomb. When automated analysis tools are used on these fake wallets, the zip bomb is triggered, causing a large number of files to be generated by the decompiler. This effectively renders further analysis particularly challenging, unless special measures are taken during the analysis process. The figure below shows the effect of garbage files generated by a BombFlower sample after "unzip."

 Figure 6. ZipBomb

As a result of such evasive techniques, the samples from the BombFlower group tend to evade many popular virus scanners. This is indicated by the zero or low detection rate as indicated on the VirusTotal site. We can see this evasive behavior by comparing the VirusTotal output on mobile app information. When loading a BombFlower android sample directly to the VirusTotal, no package information is presented. Whereas, when the internal trojan app is uploaded, much richer information is presented. This contrast is illustrated in the following figures.

 Figure 8. Regular APK analysis result shown for the trojan

This technique is not only unique, but also quite evasive, making it difficult for researchers to track the group's activities. The group's use of this technique is one of the reasons that CertiK has named them BombFlower, following a similar naming convention as another group of fake wallet attackers known as SeaFlower. We single these attackers out as a warning to the web3 community to be extra vigilant when dealing with potential fake wallets, and to be aware of the advanced techniques that malicious actors may use to evade detection.

BombFlower’s Hosting and Backend Infrastructure

The BombFlower group is known to use a variety of cloud providers in their fake wallet campaign. According to CertiK's observations, the group appears to use different providers for hosting and backend servers (located in Hong Kong and the UK). This allows them to diversify their infrastructure and make it more difficult for researchers to track their activities. Despite this, CertiK has been able to link the group's different cloud providers together by identifying commonly shared domains and registration histories. The figure illustrates how CertiK was able to connect these disparate pieces of information and uncover the group's infrastructure.

 Figure 9. Visualization of BombFlower’s hosting and backend infrastructure

We also linked these fake wallet samples to a single BombFlower group by identifying multiple shared features among the campaign. These common features include a shared domain and hosting infrastructure (as shown in the above graph), the adoption of a relatively unique evasive technique (e.g. ZipBomb), and the use of similar hooking technologies in backdoor (the ddhooker java package).

SEO Tactics Used by Fake Wallet Scammers

Fake wallet attackers often employ search engine optimization (SEO) tactics to manipulate search engine results and make their fake sites appear at the top of users' search results. One common tactic is purchasing common wallet-related keywords to increase the visibility of their fake site. The goal is to make it more likely for users to click on their fake site.

CertiK has observed this tactic being used by the BombFlower group and has provided examples in the figures below. This tactic is not unique to BombFlower, but is a common method used by fake wallet attackers to trick unsuspecting users.

 Figure 10. Malicious SEO results on Google

It is important for the Web3 community to be aware of these tactics and to be vigilant when searching for wallets online. It's recommended to use official websites and to check the authenticity of the website before downloading or using any wallet. Check the wallet's reputation and reviews before downloading or using it and to be cautious of any website that appears at the top of search engine results, as they may have been manipulated by fake wallet attackers.

Summary

In this blog, CertiK has identified an organized criminal group known as BombFlower that is actively deploying fake wallets to fool users. The group stands out due to their use of evasive anti-forensic techniques that make it difficult for researchers to track their activities and for malware detectors to identify their fake wallets. The article covers the timeline and backdoor techniques used by this group, and highlights that this group continues to evolve their tactics. Additionally, CertiK has found evasive backdoor behaviors from this family of fake wallets and will continue to monitor and track scammers and attackers. The article aims to provide valuable insights for the Web3 community in the face of these threats, and readers are encouraged to stay tuned for future security studies from CertiK.

Web3
Comments

All Comments

Recommended for you

  • BTC breaks through $67,000

    The market shows that BTC has broken through $67,000 and is now trading at $67,018.39, with a daily increase of 0.85%. The market is volatile, so please be prepared for risk control.

  • Decentralized AI platform Prime Intellect completes $5.5 million seed round of financing

    Decentralized AI platform Prime Intellect has announced the completion of a $5.5 million seed round of financing, led by Distributed Global and CoinFund, with Compound also participating. The funds will be used to build a computing platform that enables decentralized training across instances, and to achieve shared ownership of artificial intelligence models through contributions of computing power, code, data, capital, or expertise.

  • Crypto wallet Turnkey raises $15 million in funding, led by Galaxy Ventures

    Turnkey, a cryptocurrency wallet infrastructure company, has raised $15 million in Series A funding led by Lightspeed Faction and Galaxy Ventures, with participation from Sequoia Capital, Coinbase Ventures, Alchemy, Figment Capital, and Mirana Ventures. The project concluded in October of last year and raised $7.5 million in seed funding starting from 2022. Turnkey was co-founded by two former Coinbase employees who helped build the company's cryptocurrency exchange custody service, with the aim of helping application developers build user-friendly blockchain wallets.

  • Magpie: A vulnerability was found in the contract, and users are advised to cancel authorization as soon as possible

    Cross-chain infrastructure Magpie Protocol published an article stating that there is a vulnerability in the contract and urging users who have authorized its contract and still hold funds in their wallets to cancel the relevant contract authorization on each chain as soon as possible.

  • SlowMist reveals a new scam: maliciously modifying RPC node links to defraud assets

    SlowMist security team has exposed a new type of cryptocurrency scam. This scam uses the remote procedure call (RPC) function of modified Ethereum nodes to commit fraud. The specific process of the scam is as follows: the scammer induces the user to download the imToken wallet and gain the user's trust by using 1 USDT and a small amount of ETH as bait. Then, the scammer guides the user to change their ETH's RPC URL to the node controlled by the scammer. The node uses Tenderly's fork function to falsify the user's USDT balance. When the user sees the incorrect balance, they may attempt a transfer, but the scammer has already disappeared. According to SlowMist Technology's report, this type of scam exploits users' trust and negligence, resulting in asset losses. The SlowMist security team reminds users to remain vigilant when trading and avoid using untrusted RPC nodes.

  • Philippines SEC: Remove Binance App from Google and Apple App Stores

    Philippine Securities and Exchange Commission stated that we have taken action to remove the Binance app from the Google and Apple app stores.

  • BTC falls below $66,000

    The market shows that BTC has fallen below $66,000, currently trading at $65,997.14, with a daily decline of 0.02%. The market is volatile, please be prepared for risk control.

  • Hong Kong Shatin District Councillor Deng Zhaofeng: ETF allows individual investors to participate in the virtual currency market with small investments

    Hong Kong Sha Tin District Councilor Deng Zhaofeng published an article entitled "Grasping Financial Innovation Opportunities and Not Forgetting to Exclude Risks" in the A14 edition of Hong Kong Wen Wei Po, pointing out that the launch of Hong Kong's virtual currency ETF brings three opportunities to the market:

  • Ethereum on-chain DEX transaction volume yesterday was $1.796 billion

    According to DeFiLlama data, the trading volume of DEX on the Ethereum blockchain was 1.796 billion US dollars on April 22, ranking first. In addition, the trading volume of DEX on the Solana blockchain was 1.534 billion US dollars yesterday, ranking second; the trading volume of DEX on the BSC blockchain was 772.09 million US dollars yesterday, ranking third.

  • HKEX: The uniform margin rate for non-constituent virtual asset spot ETFs will be set at 30%

    The Hong Kong Stock Exchange (HKEX) and Hong Kong Securities Clearing Company Limited issued a notice on the "Margin Rates for Trading Virtual Asset Spot Exchange Traded Funds (ETFs)". It was pointed out that the following risk management arrangements, which refer to the announcement issued on April 17, 2024 (No. ETP/001/24), will take effect on the same day as the launch of the virtual asset spot ETF:

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company