Malware Bom Attack Incident Analysis

On February 14, 2025, multiple users reported that their wallet assets were stolen. After investigation, it was found that the stolen cases all exhibited characteristics of mnemonic phrase or private key leakage. Further discovery revealed that most of the affected users had installed and used an application called BOM. In-depth analysis indicated that this application was actually a carefully disguised scam software. Malicious actors used this software to induce users to authorize, illegally obtaining mnemonic phrase/private key permissions, and subsequently implementing systematic asset transfer and concealment.

Malware Analysis

A security team collected and analyzed the BOM application apk files on some users' mobile phones, drawing the following conclusions:

1. This malicious application deceives users into authorizing local file and photo album permissions under the pretext of needing to run after entering the contract page.

2. After obtaining authorization, the application scans and collects media files from the device's photo album in the background, packaging and uploading them to the server. If user files or the album contain mnemonic phrases or private key-related information, malicious actors may exploit the collected information to steal users' wallet assets.

The analysis process revealed the following suspicious points:

• The application signature is not standard, and the subject is a random string.
• A large number of sensitive permissions are registered in the AndroidManifest file.
• Developed using the cross-platform framework uniapp, the main logic is in app-service.js
• Trigger device information initialization report when loading the contract page
• Deceiving users into granting photo album permissions under the pretext of normal application operation.
• Read and package upload photo album files after obtaining permission

On-chain Capital Analysis

According to on-chain tracking analysis, the main stealing address has stolen funds from at least 13,000 users, profiting over 1.82 million dollars.

The first transaction for this address appeared on February 12, 2025, with initial funding traceable to an address marked as "stolen private key".

Capital flow analysis:

• BSC: Profit of about $37,000, often using a certain DEX to swap some tokens for BNB
• Ethereum: Profit of approximately $280,000, most of which comes from cross-chain transfers from other chains.
• Polygon: Profit of about $37,000 - $65,000, most tokens have been exchanged for POL through a certain DEX.
• Arbitrum: Profit of approximately $37,000, tokens exchanged for ETH and cross-chain to Ethereum.
• Base: Profit of about $12,000, tokens exchanged for ETH and cross-chain to Ethereum

Another hacker address profited approximately $650,000, involving multiple chains, with the related USDT all cross-chain to TRON addresses. Some of the funds were transferred to addresses that had previously interacted with a certain payment platform.

![OKX & SlowMist Joint Release｜Bom malware sweeps tens of thousands of users, stealing assets over 1.82 million dollars](