Dangerous currency circle – revealing a virtual currency airdrop scam (001)

/ LiesAuer's Blog

Original link: https://www.liesauer.net/blog/post/766.html

Please strictly abide by domestic policies and laws related to virtual currency, and do not do things that violate laws and regulations! ! !

Please strictly abide by domestic policies and laws related to virtual currency, and do not do things that violate laws and regulations! ! !

Please strictly abide by domestic policies and laws related to virtual currency, and do not do things that violate laws and regulations! ! !

## Spread the word

Scammers will first publish airdrop scam information that lasts for several days on the media and information platforms that the public mainly pays attention to, and then guide them to QQ groups and other places to start the scam.

![Screenshot_2023-04-16-10-55-44-01_e39d2c7de19156b0683cd93e8735f348.jpg](https://ift.tt/9Tocl3J)

## Avoid supervision

Liars are extremely cautious in their speeches on QQ, and all speeches are in the form of pictures to prevent triggering keywords from being banned.

![Screenshot_2023-04-16-10-56-29-70_cb819d8fa60af39fdbc84f6c72b4cf1c.jpg](https://ift.tt/lDsUdPw)

When they take the initiative to ask about the airdrop, the crooks will guide the download of a more unregulated chat software again, and such software is very likely to contain virus codes, stealing users’ privacy, bank cards, wallets and other properties.

![-4e1155874f22cbe5.png](https://ift.tt/fWqEQbU)

![Screenshot_2023-04-16-10-56-36-54_cb819d8fa60af39fdbc84f6c72b4cf1c.jpg](https://ift.tt/5xsA3j7)

The interface of the so-called Leyan chat software is very similar to WeChat.

![20230416112734.png](https://ift.tt/9TcUvZL)

The reverse analysis of this chat software also found a lot of clues. The blogger is not familiar with reverse engineering and Android code, so he only roughly analyzed the APP, and did not analyze the reverse code.

1. The APK signing certificate was issued on March 16, 2023, which is also in line with the time when the scam started, and this certificate is self-signed, not a valid certificate issued by a compliant CA.

2. There are many Android system lock screen password file paths, and they span multiple versions, mobile phone basic information, sensitive strings such as judging jailbreak and elevating privileges.

3. There are multiple related logics for dynamic code delivery and execution.

From this, it can be basically judged that this is just a superficial chat software, but it is actually a proper malware behind the scenes.

![APP snapshot 01.png](https://ift.tt/Q0omwqr)

![APP snapshot 02.png](https://ift.tt/CW2Hm3Z)

## Bait fishing

In order to gain trust, scammers will not start to cheat directly at the beginning, but will issue airdrops according to different time nodes, such as the 3rd day, 7th day, and 15th day, so that the deceived can taste the sweetness. The value of each batch of airdrops ranges from a dozen to dozens. And there will be a so-called “teacher” who starts a live broadcast every day to teach everyone how to speculate in coins and make contracts. More importantly, if you really follow the “teacher” to operate, he will ask you to “report with screenshots”, and the screenshots will definitely be exposed. The status of your property and funds is actually an indirect classification of fish to see if you are a big fish or a small fish purely thinking about wool.

## Start collecting the net

When the time is right, scammers will use various forms to collect the Internet. This routine is to vote for “teachers” with real names, and the so-called real-name voting accounts need to go to a website they give to register and recharge 30U (about RMB 200 yuan), and also claimed to be refunded after the voting.

![Screenshot_2023-04-10-19-25-00-33_bf0b390311b52c286477fdb4e7fd4b7b.jpg](https://ift.tt/Mvb8V2i)

I also did a simple analysis on this website, and the quality of the website is also very fake.

The website claims that real-name voting is required to register the next day. Yes, they didn’t even prepare in advance.

![Domain name registration time.png](https://ift.tt/8EdyX9z)

Snapshot of website section

![20230416120725.png](https://ift.tt/zAyJBqb)

When I analyzed the registration interface, I also found that the field corresponding to the verification code used the English language of the invitation code, and sensitive fields such as passwords were transmitted in clear text, without any security at all.

![Site Snapshot 11.png](https://ift.tt/yBvLT4b)

![Site Snapshot 12.png](https://ift.tt/bsfJXje)

Just when I was hesitating whether to pay 30U and continue to follow up (if you don’t pay, the liar has already separated you, and it’s basically impossible to stay in the future), I also thought for a long time at the time, and I shouldn’t be in the first place. Bo started to collect the net and run away. I thought about it for a long time and still didn’t make a decision. What I didn’t expect was that after two days, I really closed the net and ran away in the first wave! But the new scam is still going on, and this should be the new scam of their high-quality fish.

![Screenshot_2023-04-16-10-14-45-91_bf0b390311b52c286477fdb4e7fd4b7b.jpg](https://ift.tt/8qiPcmx)

So far, the scam has come to an end. It has been less than 25 days, and it is not clear how many people have been cheated.

**The blogger did not suffer any property loss in this scam, nor did he conduct contract operations. **

This article is transferred from: https://www.liesauer.net/blog/post/766.html
This site is only for collection, and the copyright belongs to the original author.