OKX & SlowMist Joint Release｜Bom malware swept tens of thousands of users and stole assets of more than 1.82 million US dollars

On February 14, 2025, several users reported that their wallet assets were stolen. After on-chain data analysis, all stolen cases meet the characteristics of mnemonic word/private key leakage. After further reviewing the victims, I found that most of them had installed and used an app called BOM. In-depth investigations show that the application is actually a carefully disguised fraud software. After the criminals induce users to authorize the software, they illegally obtain mnemonic/private key permissions, and then implement systematic asset transfer and concealment. Therefore, the SlowMist AML team and the OKX Web3 security team investigated and disclosed the malware's methods and conducted on-chain tracking and analysis, hoping to provide more users with security warnings and suggestions.

1. Malware Analysis (OKX)

With the user's consent, the OKX Web3 security team collected the apk files of the BOM application on some users' mobile phones for analysis. The specific details are as follows:

(I) Conclusion

1. After entering the contract page, the malicious app deceives users to authorize local files and album permissions on the grounds that the application needs to run.
2. After obtaining user authorization, the application scans and collects media files in the device album in the background, packages and uploads them to the server. If there is information related to mnemonic words and private keys stored in the user's files or albums, criminals may use the relevant information collected by the application to steal user's wallet assets.

(II) Analysis process

1. Preliminary sample analysis

1) Application signature analysis

The signature subject is not standardized and is parsed as adminwkhvjv. It is a bunch of meaningless random characters. Normal application is generally a meaningful combination of letters.

2) Malicious permission analysis

You can see in the AndroidManifest file of the app that a large number of permissions are registered. It contains some information-sensitive permissions, including reading and writing local files, reading media files, photo albums, etc.

2. Dynamic analysis

Since the app's back-end interface service has been offline during analysis, the app cannot run normally and dynamic analysis cannot be performed.

3. Decompile analysis

After decompiling, it was found that the number of classes in dex in this application is very small, and static analysis at the code level was conducted for these classes.

Its main logic is to decrypt some files and load the application:

Discovering the product file of uniapp in the assets directory shows that the app uses the cross-platform framework uniapp for development:

The main logic of applications developed under the uniapp framework is in the product file app-service.js, and some key codes are encrypted into app-confusion.js. We mainly start analysis from app-service.js.

1) Trigger the entrance

At the entrance to register each page, the entrance named contract was found

The corresponding function index is 6596

2) Equipment information initialization reporting

The callback onLoad() after the contract page is loaded will be called to doContract()

initUploadData() will be called in doContract()

In initUploadData(), the network situation will be judged first, and the picture and video lists will be judged first. Finally call back e()

The callback e() is getAllAndIOS().

3) Check and request permissions

Here, permissions will be requested first in iOS and the copy required for the application to run normally will be deceived by the user to agree. The request authorization behavior here is more suspicious. As a blockchain-related application, its normal operation and album permissions are not necessarily related to the normal operation of the application. This request obviously exceeds the normal operation requirements.

On Android, you should first judge and apply for album permissions.

4) Collect and read album files

Then read the pictures and videos in androidDoingUp and package them.

5) Upload album files

Finally, upload in uploadBinFa(), uploadZipBinFa() and uploadDigui(), you can see that the uploaded interface path is also a random character.

The iOS process is similar. After obtaining permissions, you start collecting uploaded content through getScreeshotAndShouchang() on iOS.

6) Upload interface

The commonUrl domain name in the url reports the return from the /api/bf9023/c99so interface.

The domain of this interface comes from the local cache of uniapp.

The code written to the cache is not found, which may be obfuscated by encryption and exist in app-confusion.js. The domain is seen in the application cache during a historical run.

2. On-chain fund analysis (SlowMist)

According to the analysis of MistTrack, an on-chain tracking and anti-money laundering tool under SlowMist AML, the current main currency theft address (0x49aDd3E8329f2A2f507238b0A684d03EAE205aab) has stolen funds from at least 13,000 users and made a profit of more than 1.82 million US dollars.

(https://dune.com/queries/4721460)

The first transaction of this address 0x49aDd3E8329f2A2f507238b0A684d03EAE205aab was transferred to 0.001 BNB as the initial fund:

Analyze the address 0x9AEf1CA082c17f9D52Aa98ca861b50c776dECC35. The first transaction of this address also appeared on February 12, 2025. Its initial fund comes from the address 0x71552085c854EeF431EE55Da5B024F9d845EC976 marked by MistTrack as "Theft-stealed private key":

Continue to analyze the capital flow of the initial hacker address 0x49aDd3E8329f2A2f507238b0A684d03EAE205aab:

BSC: Profits of about US$37,000, including USDC, USDT, WBTC and other currencies. PancakeSwap is often used to exchange some tokens for BNB:

The current address balance is 611 BNB and tokens worth approximately US$120,000, such as USDT, DOGE, FIL.

Ethereum: Profit of about US$280,000, most of which came from the ETH transferred across other chains. Then, 100 ETH was transferred to 0x7438666a4f60c4eedc471fa679a43d8660b856e0. The address also received the 160 ETH transferred to the above address 0x71552085c854EeF431EE55Da5B024F9d845EC976, a total of 260 ETH has not been transferred out yet.

Polygon: Profits of approximately US$37 or 65,000, including WBTC, SAND, STG and other currencies. Most of the tokens have been exchanged for 66,986 POL through OKX-DEX. The current balance of hacker addresses is as follows:

Arbitrum: Makes a profit of about US$37,000, including USDC, USDT, WBTC and other currencies. The tokens are converted into ETH, and a total of 14 ETH is cross-chained to Ethereum through OKX-DEX:

Base: Make a profit of about US$12,000, including FLOCK, USDT, MOLLY and other currencies. The tokens are converted into ETH, and a total of 4.5 ETH is cross-chained to Ethereum via OKX-DEX:

The rest of the chain will not be described again. We also did a brief analysis of another hacking address provided by the victim.

Hacker address 0xcb6573E878d1510212e84a85D4f93Fd5494f6EA0 The first transaction appeared on February 13, 2025, making a profit of approximately US$650,000, involving multiple chains. The related USDTs all cross-chain to TRON address TFW52pZ3GPPUNW847rdefZjqtTRxTCsdDx:

Address TFW52pZ3GPPUNW847rdefZjqtTRxTCsdDx A total of 703,119.2422 USDT was received, with a balance of 288,169.2422 USDT, of which 83,000 USDT was transferred to the address TZJiMbiqBBxDXhZXbrtyTYZjVDA2jd4eus not transferred out, and the remaining 331,950 USDT was transferred to the address THKqT6PybrzcxkpFBGSPyE11kemRNRmDDz that had interacted with Huionepay.

We will keep a monitoring of the relevant balance addresses.

3. Safety advice

To help users improve protection awareness, the SlowMist AML team and the OKX Web3 security team have compiled the following security suggestions:

1. Never download software from unknown sources (including so-called "wool-pulling tools" and any software from unknown publishers).
2. Never listen to the software download links recommended by friends or communities, and identify the official channel to download.
3. Download and install Apps from regular channels, and the main channels include Google Play, App Store and major official app stores.
4. Save mnemonics properly and do not use screenshots, photos, notepads, cloud disks and other methods to save. OKX Wallet mobile has banned screenshots of private keys and mnemonic words pages.
5. Use physical methods to save mnemonic words, such as copying on paper, saving in hardware wallets, storing them in segments (split the mnemonic words/private keys and storing them in different locations), etc.
6. Regularly changing your wallet and conditional regular replacement of your wallet can help eliminate potential security risks.
7. With professional on-chain tracking tools, such as MistTrack (https://misttrack.io/), funds are monitored and analyzed to reduce the risk of fraud or phishing incidents and better ensure asset security.
8. It is highly recommended to read the "Blockchain Dark Forest Self-Rescue Manual" written by SlowMist founder Cosine.

Disclaimer

This content is for informational purposes only and does not constitute or should not be considered as (i) investment advice or recommendation, (ii) an offer or solicitation for the purchase, sale or holding of digital assets, or (iii) financial, accounting, legal or tax advice. We do not guarantee the accuracy, completeness or usefulness of such information. Digital assets (including stablecoins and NFTs) are affected by market volatility, involve high risks, can depreciate, and even become worthless. You should carefully consider whether trading or holding digital assets is suitable for you based on your financial situation and risk tolerance. For your specific situation, please consult your legal/tax/investment professional. Not all products are available in all regions. For more details, please refer to the OKX Terms of Service and Risk Disclosure & Disclaimer. OKX Web3 Mobile Wallet and its derivative services are subject to separate Terms of Service. Please be responsible for understanding and complying with relevant local applicable laws and regulations.