Cointime

Cointime

Download App
iOS & Android

BombFlower Backdoor: Uncovering an Evasive Fake Wallet Campaign

Validated Project

The world of Web3 and cryptocurrency is constantly evolving, and with that evolution comes new and sophisticated threats to the community. One such threat is the proliferation of fake wallets, which are designed to trick users into giving away their valuable assets. These fake wallets are a consistent problem for the Web3 community, and it takes a dedicated effort to identify and expose them.

CertiK has recently identified an organized scammer group that is actively deploying fake wallets in order to fool users. This group, which we have named BombFlower, stands out due to the particular evasive anti-forensic feature used by the group. Due to the use of these evasive techniques, the fake wallet mobile Apps are largely ignored by the popular mobile malware detectors.

In this article, we will present a brief overview of the behavior of this group and the steps that CertiK has taken to identify and expose them. We hope the article can provide valuable insights for the Web3 community to help them stay safe and secure in the face of these threats.

Overview

As part of our research, we have been tracking the instances of fake wallets deployed by the BombFlower group. The BombFlower deployed their fake wallets as early as October 2021, and it continues to be active in early 2023. The figure below illustrates the fake wallet hosting timeline by this campaign, including the specific wallets that have been affected.

 Figure 1. Timeline of wallets spoofed by the BombFlower campaign

The BombFlower group employs deceptive tactics to trick users into downloading their fake wallets. They typically host these fake wallets on sites that are designed to closely resemble legitimate ones. As seen in the figures below, using Trust Wallet as an example, these phishing sites use similar designs and layouts to the original ones, with only slight variations in the domain name. This makes it difficult for users to distinguish between the fake and legitimate sites.

 Figure 2. BombFlower's phishing websites look very similar to official websites

Technical Details of the BombFlower Backdoor

Fake wallets have been a persistent threat in the web3 community. Typically, these fake wallets include backdoors that hook into the mnemonic phrase generation function to directly inject malicious code into the wallet's javascript code (e.g. index.android.bundle) or in the smali code. Previous research on the SeaFlower Group has provided substantial details on this type of backdoor.

The BombFlower backdoor, however, is different from previous fake wallet malware. Its distinct feature is that it includes another app binary inside the trojaned binary. The "real" fake wallet is actually hidden inside the BombFlower app. As shown in the figure below, the first abnormal behavior of the BombFlower malware is to extract a binary (in this case "bitkeep.apk") from its internal memory and then install this trojaned APK in a virtual client environment within the BombFlower app.

 Figure 3. Extracting and launching “bitkeep.apk” inside the BombFlower app

Those users that mistakenly downloaded and installed the BombFlower app actually interact with this internal trojaned app and then their private key or mnemonic phrases are stolen from the device's memory.

 Figure 4. The backdoor extracts the secret

The image below shows how the key information was copied from internal memory and sent to a server controlled by the attacker. This process is captured from the network traffic, which is shown in the figures below.

 Figure 5. User's mnemonic phrase is uploaded to the backdoored app's server

This is just a brief summary of some of the unique backdoor behavior of the BombFlower fake wallet. During our study, we have found multiple sophisticated abnormal behaviors in these trojanized mobile apps. In this article, we will only cover the outstanding features that capture the main behavior of this family. We will have a follow-up article that will disclose the other abnormal behaviors of this fake wallet malware family.

Unique Features of the BombFlower Family

ZipBomb

The BombFlower group is notable for its use of a unique anti-forensic technique known as a "ZipBomb." This technique is used to evade detection and analysis by researchers. In certain samples deployed by the group, the fake wallet binary contains a hidden zip bomb. When automated analysis tools are used on these fake wallets, the zip bomb is triggered, causing a large number of files to be generated by the decompiler. This effectively renders further analysis particularly challenging, unless special measures are taken during the analysis process. The figure below shows the effect of garbage files generated by a BombFlower sample after "unzip."

 Figure 6. ZipBomb

As a result of such evasive techniques, the samples from the BombFlower group tend to evade many popular virus scanners. This is indicated by the zero or low detection rate as indicated on the VirusTotal site. We can see this evasive behavior by comparing the VirusTotal output on mobile app information. When loading a BombFlower android sample directly to the VirusTotal, no package information is presented. Whereas, when the internal trojan app is uploaded, much richer information is presented. This contrast is illustrated in the following figures.

 Figure 8. Regular APK analysis result shown for the trojan

This technique is not only unique, but also quite evasive, making it difficult for researchers to track the group's activities. The group's use of this technique is one of the reasons that CertiK has named them BombFlower, following a similar naming convention as another group of fake wallet attackers known as SeaFlower. We single these attackers out as a warning to the web3 community to be extra vigilant when dealing with potential fake wallets, and to be aware of the advanced techniques that malicious actors may use to evade detection.

BombFlower’s Hosting and Backend Infrastructure

The BombFlower group is known to use a variety of cloud providers in their fake wallet campaign. According to CertiK's observations, the group appears to use different providers for hosting and backend servers (located in Hong Kong and the UK). This allows them to diversify their infrastructure and make it more difficult for researchers to track their activities. Despite this, CertiK has been able to link the group's different cloud providers together by identifying commonly shared domains and registration histories. The figure illustrates how CertiK was able to connect these disparate pieces of information and uncover the group's infrastructure.

 Figure 9. Visualization of BombFlower’s hosting and backend infrastructure

We also linked these fake wallet samples to a single BombFlower group by identifying multiple shared features among the campaign. These common features include a shared domain and hosting infrastructure (as shown in the above graph), the adoption of a relatively unique evasive technique (e.g. ZipBomb), and the use of similar hooking technologies in backdoor (the ddhooker java package).

SEO Tactics Used by Fake Wallet Scammers

Fake wallet attackers often employ search engine optimization (SEO) tactics to manipulate search engine results and make their fake sites appear at the top of users' search results. One common tactic is purchasing common wallet-related keywords to increase the visibility of their fake site. The goal is to make it more likely for users to click on their fake site.

CertiK has observed this tactic being used by the BombFlower group and has provided examples in the figures below. This tactic is not unique to BombFlower, but is a common method used by fake wallet attackers to trick unsuspecting users.

 Figure 10. Malicious SEO results on Google

It is important for the Web3 community to be aware of these tactics and to be vigilant when searching for wallets online. It's recommended to use official websites and to check the authenticity of the website before downloading or using any wallet. Check the wallet's reputation and reviews before downloading or using it and to be cautious of any website that appears at the top of search engine results, as they may have been manipulated by fake wallet attackers.

Summary

In this blog, CertiK has identified an organized criminal group known as BombFlower that is actively deploying fake wallets to fool users. The group stands out due to their use of evasive anti-forensic techniques that make it difficult for researchers to track their activities and for malware detectors to identify their fake wallets. The article covers the timeline and backdoor techniques used by this group, and highlights that this group continues to evolve their tactics. Additionally, CertiK has found evasive backdoor behaviors from this family of fake wallets and will continue to monitor and track scammers and attackers. The article aims to provide valuable insights for the Web3 community in the face of these threats, and readers are encouraged to stay tuned for future security studies from CertiK.

Web3
Comments

All Comments

Recommended for you

  • Analyst: Bitcoin's recent surge may have given investors a false sense of security

    George Milling-Stanley, Chief Gold Strategist at Dow Jones Global Investment Management, believes that the recent surge in Bitcoin may give investors a false sense of security. Milling-Stanley stated, "Simply put, Bitcoin is an investment seeking returns, which suggests that investors are flocking to Bitcoin for capital gains, not because they see the value or use of Bitcoin." The launch of options based on spot Bitcoin ETFs last week may be related to this, as options allow investors to bet on the price volatility of Bitcoin with less cash instead of buying Bitcoin itself.

  • UK court dismisses Craig Wright's appeal against COPA

    On November 29th, according to BitMEX Research, the UK Court of Appeals has dismissed Craig Steven Wright's (CSW) appeal against the Cryptocurrency Open Patent Alliance (COPA), ruling that he lacked any substantive basis. In the case, CSW also complained that the court had adopted evidence from @lopp (James Lopp), but @lopp did not appear as a witness, which the court found to be unfounded. CSW's attempt to prove his claim as the author of the Bitcoin white paper, Satoshi Nakamoto, has once again been thwarted.

  • Binance will delist Gifto (GFT) spot trading pairs

     Binance has announced that deposits for Gifto (GFT) have been suspended as of November 29, 2024 due to potential security issues with the GFT smart contract. Binance may reopen GFT deposits if they deem it safe to do so, but will not issue any further announcements. Binance has decided to delist and cease trading for all Gifto (GFT) spot trading pairs on December 3, 2024 at 08:00 (UTC).

  • Japan's Financial Services Agency warns 5 unregistered overseas cryptocurrency exchanges

    On November 29th, according to CoinPost, the Japanese Financial Services Agency issued warning letters to five unregistered overseas cryptocurrency exchanges. These exchanges include KuCoin, bitcastle LLC, Bybit Fintech Limited, MEXC Global, and Bitget Limited.

  • Stablecoin issuance protocol usdx.money completes $45 million in financing

    On November 29th, stablecoin issuance protocol usdx.money completed a $45 million financing round, bringing the project's valuation to $275 million. NGC, BAI Capital, Generative Ventures, UOB Venture Management, and others participated in the funding, with some investors contributing through warrants. Existing supporters of the project include Dragonfly Capital and Jeneration Capital.

  • Russian President Vladimir Putin officially signs digital currency tax law

    Russian President Vladimir Putin has signed a law regulating the taxation of digital currencies. According to the law, digital currencies are recognized as property. This also applies to currencies used for foreign trade payments within the experimental legal framework (EPR) in the field of digital innovation. Mining and sales of digital currencies are exempt from value-added tax. Operators of mining infrastructure must report to the tax authorities issuing cryptocurrencies for using their services. Failure to submit such information on time may result in a fine of 40,000 rubles. In terms of personal income tax, digital currencies obtained through mining will be classified as physical income (usually used when goods or services are paid for instead of currency). The value of the income currency will be determined based on market quotes. Such income will be subject to progressive taxation, taking into account tax deductions for mining costs. At the same time, the acquisition, sale or other circulation of digital currencies will be subject to two-stage personal income tax rates (13% for income up to 2.4 million rubles, and 15% for income exceeding this amount). They will be included in the same tax base as securities, bank deposits, and other sources of transaction income. As for corporate income tax, digital currency mining will be subject to the standard tax rate (25% from 2025 onwards).

  • Taiwan forces cryptocurrency providers to register for anti-money laundering

    after authorities imposed fines on two cryptocurrency exchanges for related violations, Taiwan, China has advanced new anti-money laundering (AML) regulations for cryptocurrency businesses. On November 27, the Financial Supervisory Commission (FSC) announced that the upcoming registration requirements for anti-money laundering for cryptocurrency exchanges would be postponed from the previous deadline of January 1, 2025 to November 30. According to previous notices, virtual asset service providers (VASPs) that have not registered with the government may face up to two years imprisonment or a maximum fine of NT$5 million (US$155,900).

  • Supreme People's Procuratorate: Enhance the ability to combat money laundering crimes using new technologies and products such as virtual currency

    newly revised "Anti-Money Laundering Law of the People's Republic of China" will come into effect on January 1, 2025. The Secretary of the Party Group and Procurator-General of the Supreme People's Procuratorate, Ying Yong, emphasized the need to strengthen cooperation to combat money laundering crimes, accurately grasp the provisions of the revised anti-money laundering law on improving the scope of upstream money laundering crimes, and implement the anti-money laundering law and the criminal law's provisions on "money laundering" in a comprehensive manner. Accurately apply the "Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues Concerning the Application of Law in Handling Criminal Cases of Money Laundering," deepen the three-year action to combat and govern illegal money laundering crimes, punish money laundering and related crimes in accordance with the law, enhance the ability to combat money laundering crimes using new technologies, products, and businesses such as virtual currencies, and form a joint force to combat money laundering.

  • Hong Kong Central Bank to Subsidize Companies Issuing Tokenized Bonds

    Hong Kong Monetary Authority (HKMA), Hong Kong's central bank, has launched a program to subsidize part of the cost of issuing tokenized bonds in order to encourage more tokenization in its capital markets.

  • Web3 data and AI company Validation Cloud completes $10 million in new round of financing

     Web3 data and AI company Validation Cloud announced a $10 million financing round from True Global Ventures. The company plans to use the funds to expand its AI products and achieve seamless access to Web3 data.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company