OKX & SlowMist Joint Announcement | Bom Malware Rampant Among Thousands of Users, Stealing Over $1.82 Million in Assets

Source: OKX

On February 14, 2025, multiple users reported a concentrated theft of wallet assets. Through on-chain data analysis, it was determined that the theft cases all exhibited characteristics of mnemonic phrase/private key leakage. Further investigation revealed that the affected users had mostly installed and used an application called BOM. A deep dive investigation showed that this application was actually a carefully disguised fraudulent software. Malicious actors used this software to deceive users into granting authorization, through which they illegitimately obtained mnemonic phrase/private key access, enabling them to execute systematic asset transfers and concealment. As a result, the SlowMist AML team and the OKX Web3 Security team conducted an investigation and disclosure of the malicious software tactics and performed on-chain tracking analysis, aiming to provide more users with security alerts and recommendations.

1. Malicious Software Analysis (OKX)

With user consent, the OKX Web3 Security team collected the apk files of the BOM application from some users' phones for analysis. The specific details are as follows:

(A) Conclusion

Once inside the contract page, the malicious app falsely claims that it needs to run the application and deceives users into granting local file and photo album permissions.

After obtaining user authorization, the application scans in the background and collects media files from the device's album, packages them, and uploads them to the server. If the user's files or albums contain mnemonic phrases or private key-related information, malicious actors may exploit this collected information from the application to steal user wallet assets.

(B) Analysis Process

1. Initial Sample Analysis

1) Application Signature Analysis

The signature subject is non-standard and resolves to adminwkhvjv, which is a meaningless string of random characters. Normal applications typically have a meaningful letter combination as their signature.

2) Malicious Permission Analysis

In the application's AndroidManifest file, numerous permissions are registered, some of which are sensitive information permissions, including read/write local files, read media files, and access to the photo album.

2. Dynamic Analysis

Due to the backend API service being offline during the analysis, the app cannot function properly, and dynamic analysis cannot be performed at the moment.

3. Decompilation Analysis

Upon decompilation, it was found that the number of classes in the app's dex file is very low. Therefore, a code-level static analysis was conducted on these classes.

The main logic involves decrypting some files and loading the application:

A uni-app artifact file was found in the assets directory, indicating that the app was developed using the cross-platform framework UniApp:

The primary logic of an application developed under the UniApp framework lies in the artifact file app-service.js, with some key code encrypted in app-confusion.js. We primarily start the analysis from app-service.js.

1) Trigger Entry

At the entry points of various pages, the entry point for a page named "contract" was found.

The corresponding function index is 6596.

2) Device Information Initialization Reporting

Once the contract page is loaded, the onLoad() callback will invoke doContract().

Within doContract(), initUploadData() is called.

In initUploadData(), it will first check the network status and also verify if the image and video lists are empty. Finally, it will call the callback e().

The callback e() is actually getAllAndIOS().

3) Check and Request Permissions

Here, in iOS, permissions are requested first, deceiving users into granting permission with wording that the app needs to function properly. This permission request behavior is quite suspicious. As an application related to blockchain, its normal operation does not inherently require access to the photo library, making this request clearly beyond the app's legitimate operational needs.

On Android, similarly, photo library permissions are checked and requested first.

4) Collect and Read Photo Library Files

Then, in androidDoingUp(), images and videos are read and packaged.

5) Upload Photo Library Files

Finally, uploading is done in uploadBinFa(), uploadZipBinFa(), and uploadDigui(), where the upload interface path is also a randomly generated string.

The iOS process is similar; after obtaining permission, content is collected for upload using getScreeshotAndShouchang() on iOS.

6) Upload Interface

The commonUrl domain in the reported URL is sourced from the response of the /api/bf9023/c99so interface.

The domain of this interface is sourced from the local cache of the UniApp.

No code for writing to the cache was found; it may be encrypted and obfuscated and exist in app-confusion.js. The domain was observed in the application cache during a historical run.

II. On-chain Fund Analysis (SlowMist)

According to MistTrack, an on-chain tracking and anti-money laundering tool under SlowMist AML, the primary exploit address (0x49aDd3E8329f2A2f507238b0A684d03EAE205aab) has stolen funds from at least 13,000 users, with profits exceeding $1.82 million.

(https://dune.com/queries/4721460)

The address 0x49aDd3E8329f2A2f507238b0A684d03EAE205aab's first transaction occurred on February 12, 2025, with address 0x9AEf1CA082c17f9D52Aa98ca861b50c776dECC35 sending 0.001 BNB as initial funding.

Address analysis 0x9AEf1CA082c17f9D52Aa98ca861b50c776dECC35. The first transaction involving this address also occurred on February 12, 2025, with the initial funds coming from an address marked by MistTrack as "Theft - Stolen Private Key" at 0x71552085c854EeF431EE55Da5B024F9d845EC976:

Further analysis of the initial hacker address 0x49aDd3E8329f2A2f507238b0A684d03EAE205aab's fund movement:

BSC: Profits of approximately $37,000, including USDC, USDT, WBTC, and other tokens. Partial tokens are often exchanged for BNB using PancakeSwap:

The current address balance is 611 BNB and tokens worth approximately $120,000, such as USDT, DOGE, FIL.

Ethereum: Profits of approximately $280,000, mostly from ETH transferred from other chains. Then, 100 ETH was transferred to 0x7438666a4f60c4eedc471fa679a43d8660b856e0. This address also received 160 ETH from the above address 0x71552085c854EeF431EE55Da5B024F9d845EC976, for a total of 260 ETH that has not yet been transferred out.

Polygon: Profits of approximately $37,000 or $65,000, including WBTC, SAND, STG, and other tokens. Most of the tokens have been exchanged for 66,986 POL through OKX-DEX. The current balance of the hacker address is as follows:

Arbitrum: A profit of approximately $37,000, including various coins such as USDC, USDT, WBTC, with the tokens exchanged to ETH. A total of 14 ETH was cross-chain transferred to Ethereum via OKX-DEX:

Base: A profit of approximately $12,000, including coins like FLOCK, USDT, MOLLY, with the tokens exchanged to ETH. A total of 4.5 ETH was cross-chain transferred to Ethereum via OKX-DEX:

Details of other chains are not elaborated further. We also conducted a simple analysis on another hacker address provided by the victim.

The hacker address 0xcb6573E878d1510212e84a85D4f93Fd5494f6EA0 had its first transaction on February 13, 2025, with a profit of approximately $650,000 involving multiple chains. The related USDT was all cross-chain transferred to the TRON address TFW52pZ3GPPUNW847rdefZjqtTRxTCsdDx:

The address TFW52pZ3GPPUNW847rdefZjqtTRxTCsdDx received a total of 703,119.2422 USDT, with a balance of 288,169.2422 USDT. Out of this, 83,000 USDT was transferred to the address TZJiMbiqBBxDXhZXbrtyTYZjVDA2jd4eus and not further withdrawn, while the remaining 331,950 USDT was sent to an address that had interacted with Huionepay before, the address being THKqT6PybrzcxkpFBGSPyE11kemRNRmDDz.

We will continue to monitor the balances of the related addresses.

III. Security Recommendations

To help users enhance their security awareness, SlowMist's AML team and OKX's Web3 security team have compiled the following security recommendations:

· Do not download software from unknown sources (including so-called "freeloading tools" and any software from unidentified publishers).

· Do not trust software download links recommended by friends or communities; make sure to download from official channels.

· Download and install apps from legitimate sources, such as Google Play, the App Store, and various official app stores.

· Safely store your mnemonic phrase; do not use methods such as screenshots, photos, notepads, or cloud storage. The OKX Wallet mobile app has already disabled the screenshot feature on the private key and mnemonic pages.

· Physically store your mnemonic phrase by writing it on paper, using a hardware wallet, segmenting storage (splitting the mnemonic phrase/private key and storing it in different places), etc.

· Regularly change your wallet; conditionally replacing your wallet regularly helps eliminate potential security risks.

· Utilize professional on-chain tracking tools such as MistTrack (https://misttrack.io/) to monitor and analyze funds, reduce the risk of fraud or phishing events, and better protect asset security.

· Strongly recommend reading the "Blockchain Dark Forest Self-Defense Handbook" written by Cosmos, the founder of SlowMist.

Disclaimer

This content is for reference only and should not be construed as (i) investment advice or recommendation, (ii) a solicitation or offer to buy, sell, or hold digital assets, or (iii) financial, accounting, legal, or tax advice. We do not guarantee the accuracy, completeness, or usefulness of such information. Digital assets (including stablecoins and NFTs) are subject to market fluctuations, involve high risk, may depreciate, or even become worthless. You should carefully consider whether trading or holding digital assets is suitable for you based on your financial situation and risk tolerance. Consult your legal/tax/investment professional for your specific situation. Not all products are available in all regions. For more details, please refer to the OKX Terms of Service and Risk Disclosure & Disclaimer. The OKX Web3 mobile wallet and its derivative services are subject to separate terms of service. You are responsible for understanding and complying with local applicable laws and regulations.

This article is a contributed piece and does not represent the views of BlockBeats