OKX and SlowMist noted in a report that on February 14, 2025, multiple users reported unauthorized access to their wallet assets.
On-chain data analysis indicated that the incidents “exhibited characteristics of mnemonic phrase/private key leakage.”
Further follow-ups with affected users revealed “that most of them had previously installed and used an application called BOM.”
A deeper investigation uncovered that BOM was “actually a carefully disguised scam application.”
Malicious actors exploited this app to “deceive users into granting permissions, ultimately gaining access to their mnemonic phrases and private keys.”
This allowed them to systematically “transfer and conceal stolen assets.”
In response, the SlowMist AML team and the OKX Web3 Security team conducted an investigation into the tactics used by this malware, along with on-chain tracking and analysis, “aiming to provide security warnings and recommendations to help more users stay protected.”
Malware Analysis
With user consent, the OKX Web3 Security team “collected APK files of the BOM application from affected users’ devices for analysis.”
The key findings are as follows:
Upon accessing the contract page, the malicious app “deceives users into granting local file and album permissions under the pretense of necessary app functionality.”
Once granted access, the app “scans and collects media files from the device’s album in the background, then packages and uploads them to a remote server.”
If a user’s files or album contain mnemonic phrases or private key information, attackers “may exploit the collected data to steal wallet assets.”
Security Recommendations
To help users enhance their security awareness, the SlowMist AML team, in collaboration with the OKX Web3 security team, has compiled the following security recommendations:
- Avoid downloading software from unknown sources — This includes so-called “airdrop tools” and any software from unidentified issuers.
- Do not trust software download links recommended by friends or community members — Always verify and download from official sources.
- Download apps only from official and reputable platforms — Such as Google Play, the App Store, and other recognized app stores.
- Safeguard your mnemonic phrase properly — Avoid storing it using screenshots, photos, notepads, cloud storage, or similar methods. The OKX Wallet mobile app has already disabled screenshots for private key and mnemonic phrase pages.
- Use physical storage methods for mnemonic phrases — Such as writing them down on paper, storing them in a hardware wallet, or using segmented storage (splitting the mnemonic phrase/private key and storing the parts separately).
- Regularly change your wallet — If conditions allow, periodically switching wallets can help eliminate potential security risks.
- Utilize professional on-chain tracking tools — Platforms like MistTrack enable monitoring and analyzing funds, reducing the risk of scams and phishing attacks while enhancing asset security.
- Read the Blockchain Dark Forest Selfguard Handbook — Written by SlowMist founder Cos, this guide provides essential knowledge for protecting yourself in the blockchain space.