The world of Web3 and cryptocurrency is constantly evolving, and with that evolution comes new and sophisticated threats to the community. One such threat is the proliferation of fake wallets, which are designed to trick users into giving away their valuable assets. These fake wallets are a consistent problem for the Web3 community, and it takes a dedicated effort to identify and expose them.
CertiK has recently identified an organized scammer group that is actively deploying fake wallets in order to fool users. This group, which we have named BombFlower, stands out due to the particular evasive anti-forensic feature used by the group. Due to the use of these evasive techniques, the fake wallet mobile Apps are largely ignored by the popular mobile malware detectors.
In this article, we will present a brief overview of the behavior of this group and the steps that CertiK has taken to identify and expose them. We hope the article can provide valuable insights for the Web3 community to help them stay safe and secure in the face of these threats.
As part of our research, we have been tracking the instances of fake wallets deployed by the BombFlower group. The BombFlower deployed their fake wallets as early as October 2021, and it continues to be active in early 2023. The figure below illustrates the fake wallet hosting timeline by this campaign, including the specific wallets that have been affected.
Figure 1. Timeline of wallets spoofed by the BombFlower campaign
The BombFlower group employs deceptive tactics to trick users into downloading their fake wallets. They typically host these fake wallets on sites that are designed to closely resemble legitimate ones. As seen in the figures below, using Trust Wallet as an example, these phishing sites use similar designs and layouts to the original ones, with only slight variations in the domain name. This makes it difficult for users to distinguish between the fake and legitimate sites.
Figure 2. BombFlower's phishing websites look very similar to official websites
Fake wallets have been a persistent threat in the web3 community. Typically, these fake wallets include backdoors that hook into the mnemonic phrase generation function to directly inject malicious code into the wallet's javascript code (e.g. index.android.bundle) or in the smali code. Previous research on the SeaFlower Group has provided substantial details on this type of backdoor.
The BombFlower backdoor, however, is different from previous fake wallet malware. Its distinct feature is that it includes another app binary inside the trojaned binary. The "real" fake wallet is actually hidden inside the BombFlower app. As shown in the figure below, the first abnormal behavior of the BombFlower malware is to extract a binary (in this case "bitkeep.apk") from its internal memory and then install this trojaned APK in a virtual client environment within the BombFlower app.
Figure 3. Extracting and launching “bitkeep.apk” inside the BombFlower app
Those users that mistakenly downloaded and installed the BombFlower app actually interact with this internal trojaned app and then their private key or mnemonic phrases are stolen from the device's memory.
Figure 4. The backdoor extracts the secret
The image below shows how the key information was copied from internal memory and sent to a server controlled by the attacker. This process is captured from the network traffic, which is shown in the figures below.
Figure 5. User's mnemonic phrase is uploaded to the backdoored app's server
This is just a brief summary of some of the unique backdoor behavior of the BombFlower fake wallet. During our study, we have found multiple sophisticated abnormal behaviors in these trojanized mobile apps. In this article, we will only cover the outstanding features that capture the main behavior of this family. We will have a follow-up article that will disclose the other abnormal behaviors of this fake wallet malware family.
The BombFlower group is notable for its use of a unique anti-forensic technique known as a "ZipBomb." This technique is used to evade detection and analysis by researchers. In certain samples deployed by the group, the fake wallet binary contains a hidden zip bomb. When automated analysis tools are used on these fake wallets, the zip bomb is triggered, causing a large number of files to be generated by the decompiler. This effectively renders further analysis particularly challenging, unless special measures are taken during the analysis process. The figure below shows the effect of garbage files generated by a BombFlower sample after "unzip."
Figure 6. ZipBomb
As a result of such evasive techniques, the samples from the BombFlower group tend to evade many popular virus scanners. This is indicated by the zero or low detection rate as indicated on the VirusTotal site. We can see this evasive behavior by comparing the VirusTotal output on mobile app information. When loading a BombFlower android sample directly to the VirusTotal, no package information is presented. Whereas, when the internal trojan app is uploaded, much richer information is presented. This contrast is illustrated in the following figures.
Figure 7. No red flags are raised by a malware analysis platform
Figure 8. Regular APK analysis result shown for the trojan
This technique is not only unique, but also quite evasive, making it difficult for researchers to track the group's activities. The group's use of this technique is one of the reasons that CertiK has named them BombFlower, following a similar naming convention as another group of fake wallet attackers known as SeaFlower. We single these attackers out as a warning to the web3 community to be extra vigilant when dealing with potential fake wallets, and to be aware of the advanced techniques that malicious actors may use to evade detection.
The BombFlower group is known to use a variety of cloud providers in their fake wallet campaign. According to CertiK's observations, the group appears to use different providers for hosting and backend servers (located in Hong Kong and the UK). This allows them to diversify their infrastructure and make it more difficult for researchers to track their activities. Despite this, CertiK has been able to link the group's different cloud providers together by identifying commonly shared domains and registration histories. The figure illustrates how CertiK was able to connect these disparate pieces of information and uncover the group's infrastructure.
Figure 9. Visualization of BombFlower’s hosting and backend infrastructure
We also linked these fake wallet samples to a single BombFlower group by identifying multiple shared features among the campaign. These common features include a shared domain and hosting infrastructure (as shown in the above graph), the adoption of a relatively unique evasive technique (e.g. ZipBomb), and the use of similar hooking technologies in backdoor (the ddhooker java package).
Fake wallet attackers often employ search engine optimization (SEO) tactics to manipulate search engine results and make their fake sites appear at the top of users' search results. One common tactic is purchasing common wallet-related keywords to increase the visibility of their fake site. The goal is to make it more likely for users to click on their fake site.
CertiK has observed this tactic being used by the BombFlower group and has provided examples in the figures below. This tactic is not unique to BombFlower, but is a common method used by fake wallet attackers to trick unsuspecting users.
Figure 10. Malicious SEO results on Google
It is important for the Web3 community to be aware of these tactics and to be vigilant when searching for wallets online. It's recommended to use official websites and to check the authenticity of the website before downloading or using any wallet. Check the wallet's reputation and reviews before downloading or using it and to be cautious of any website that appears at the top of search engine results, as they may have been manipulated by fake wallet attackers.
In this blog, CertiK has identified an organized criminal group known as BombFlower that is actively deploying fake wallets to fool users. The group stands out due to their use of evasive anti-forensic techniques that make it difficult for researchers to track their activities and for malware detectors to identify their fake wallets. The article covers the timeline and backdoor techniques used by this group, and highlights that this group continues to evolve their tactics. Additionally, CertiK has found evasive backdoor behaviors from this family of fake wallets and will continue to monitor and track scammers and attackers. The article aims to provide valuable insights for the Web3 community in the face of these threats, and readers are encouraged to stay tuned for future security studies from CertiK.