When people hear the word phishing, the first thing that comes to mind is often emails or websites. A challenge we have in the crypto space is that attackers constantly find new methods for stealing funds from users. Last week, we discovered a large scale coordinated attack against a number of high profile DEXs. This post dives into our technical analysis, and how we managed to tie the different attacks together.
The IDEX team recently released a tweet about a fake IDEX app on the Google Play store. The app was impersonating the IDEX brand in an attempt to trick users into downloading and installing it, and then phishing the user’s credentials in order to steal their funds.
Below we shed some light on the inner workings of this mobile app and how, through reverse engineering the app, we discovered a large scale coordinated attack launched by what appears to be a single adversary.
The malicious Google Play store app was disguised as an IDEX mobile application, using the IDEX logo, their name in several places, as well as screenshots of the mobile version of their website.
Searching for references to IDEX further confirmed this point, as hardly any were made in the codebase itself.
This indicated that most of the logic was being loaded dynamically, rather than from local files inside of the app. As a result, the natural next step was to intercept the comms of the app, to better understand what was happening behind the scenes.
When opening the app, the user was presented with the familiar login screen of IDEX, where the user had to choose how they wanted to log in.
The standard authentication flow then followed, requesting the private data from the user.
After clicking “Unlock”, the data was sent to softwareapi[.]tk over a cleartext channel, exposing the sensitive user data not only to the attacker, but any other middlemen along the way.
At that stage, the user was authenticated and could use the app as usual, and the attacker would have all the information necessary in order to steal the user’s funds.
Checking for other references of the name revealed that it was present in a number of places.
However, this functionality was not being shown to the user at any stage, so we took to Google, and lo and behold:
By the time we came across this article, the malicious EtherFlyer app was no longer available on the App Store, so we could not confirm whether the same codebase was being used to target both of the exchanges. However, it certainly would seem to be the case based on the evidence collected.
While we were performing this analysis, a member of the community reported another phishing app targeting Binance DEX to us.
Now, those with a keen eye would have noticed that there are a few similarities
between the Binance app listing and the IDEX app one. Both of the apps use a
title format of “
After downloading and decompiling the app, something quite interesting popped up.
That’s right folks. That’s the correct screenshot. The Binance app had remnants of an IDEX phish. Looking into the behaviour of the Binance app, the same process as the IDEX app was followed, only this time the data was posted to dexapi[.]tk. When logging in, the /Api.php endpoint was called (much the same as the IDEX app), and the data parameter decoded into the mnemonic phrase and password used to log in to the app.
The three apps were clearly launched by the same initiative, and the commonality between them was the fact that the target in all the cases were DEXs. This campaign will most likely continue on to target other DEXs, as the cost to duplicate the attack is relatively low to the attacker.
If you would like help detecting and responding to threats like these mobile phishing apps, get in touch with us to hear how we can help you!
Fighting phishing in the crypto space. Find us at phishfort.com and on Twitter @phishfort.