When people hear the word phishing, the first thing that comes to mind is often emails or websites. A challenge we have in the crypto space is that attackers constantly find new methods for stealing funds from users. Last week, we discovered a large scale coordinated attack against a number of high profile DEXs. This post dives into our technical analysis, and how we managed to tie the different attacks together.

Diving In

The IDEX team recently released a tweet about a fake IDEX app on the Google Play store. The app was impersonating the IDEX brand in an attempt to trick users into downloading and installing it, and then phishing the user’s credentials in order to steal their funds.

Below we shed some light on the inner workings of this mobile app and how, through reverse engineering the app, we discovered a large scale coordinated attack launched by what appears to be a single adversary.

Breaking Down the App

The malicious Google Play store app was disguised as an IDEX mobile application, using the IDEX logo, their name in several places, as well as screenshots of the mobile version of their website.

After downloading and decompiling the app, we found that it was using Cordova — a mobile app development framework that allows developers to write mobile apps in HTML and JavaScript. This meant that the app could load the mobile version of the IDEX website in a WebView, which resulted in a low cost attack that could easily be used to target other exchanges or wallets with a mobile-compatible website.

Searching for references to IDEX further confirmed this point, as hardly any were made in the codebase itself.

This indicated that most of the logic was being loaded dynamically, rather than from local files inside of the app. As a result, the natural next step was to intercept the comms of the app, to better understand what was happening behind the scenes.

When opening the app, the user was presented with the familiar login screen of IDEX, where the user had to choose how they wanted to log in.

The standard authentication flow then followed, requesting the private data from the user.

After clicking “Unlock”, the data was sent to softwareapi[.]tk over a cleartext channel, exposing the sensitive user data not only to the attacker, but any other middlemen along the way.

At that stage, the user was authenticated and could use the app as usual, and the attacker would have all the information necessary in order to steal the user’s funds.

Wait, Why All This Code?

Interestingly, while the IDEX app logic was implemented through WebViews loading remote content, there was still some custom HTML and JavaScript code within the application. Opening index.html revealed the name of another popular DEX in the space, EtherFlyer.

Checking for other references of the name revealed that it was present in a number of places.

However, this functionality was not being shown to the user at any stage, so we took to Google, and lo and behold:

By the time we came across this article, the malicious EtherFlyer app was no longer available on the App Store, so we could not confirm whether the same codebase was being used to target both of the exchanges. However, it certainly would seem to be the case based on the evidence collected.

The Plot Thickens

While we were performing this analysis, a member of the community reported another phishing app targeting Binance DEX to us.

Now, those with a keen eye would have noticed that there are a few similarities between the Binance app listing and the IDEX app one. Both of the apps use a title format of “ For Android” and the developer is “ Dev INC”. They also both had the same naming structure, “com..bridge”. This instantly caught our attention.

After downloading and decompiling the app, something quite interesting popped up.

That’s right folks. That’s the correct screenshot. The Binance app had remnants of an IDEX phish. Looking into the behaviour of the Binance app, the same process as the IDEX app was followed, only this time the data was posted to dexapi[.]tk. When logging in, the /Api.php endpoint was called (much the same as the IDEX app), and the data parameter decoded into the mnemonic phrase and password used to log in to the app.

The three apps were clearly launched by the same initiative, and the commonality between them was the fact that the target in all the cases were DEXs. This campaign will most likely continue on to target other DEXs, as the cost to duplicate the attack is relatively low to the attacker.

Key Takeaways

• Phishing isn’t limited to websites or emails.
• Mobile phishing apps will most likely gain popularity with attackers, as they realize that attacks require minimal resources and ability to execute.
• Decentralized exchanges are high-value targets for attackers. Not your keys, not your crypto means that when users are responsible for their own keys, they’re also responsible for protecting their funds and need to be especially vigilant.
• Adversaries conduct well coordinated attacks against multiple targets simultaneously.
• Crypto companies should ensure that they have an appropriate detection and response strategy in place for protecting their users from mobile phishing apps.