CherryBlos Malware Uses OCR to Pluck Android Users Cryptocurrency

  /     /     /  
Publicated : 23/11/2024   Category : security


CherryBlos Malware Uses OCR to Pluck Android Users Cryptocurrency


The malware, along with a sister strain dubbed FakeTrade, was found lurking in Google Play.



Researchers this week warned of two related malware campaigns, dubbed CherryBlos and FakeTrade, targeting Android users for cryptocurrency theft and other financially motivated scams. The operators of the campaign are distributing the malware via fake Android apps on Google Play, social media platforms, and phishing sites.
In a report this week, Trend Micro said its researchers had discovered the two malware strains recently and had observed the malware using the same network infrastructure and application certificates. This points to the same threat actor being behind both campaigns, the researchers noted.
One, somewhat unusual — and dangerous — feature in CherryBlos is its ability to use optical character recognition (OCR) to read any mnemonic phrases that might be present in pictures on a compromised host device, and to send that data to its command-and-control server (C2). In the context of cryptocurrency, mnemonic phrases are what people use when they want to recover or restore a crypto wallet.
From the language used by these samples, we determined that the threat actor doesnt have a specific targeted region, but targets victims across the globe, replacing resource strings and uploading these apps to different Google Play regions, Trend Micro said. These regions include Malaysia, Vietnam, Philippines, Indonesia, Uganda, and Mexico,
the security vendor said
.
The CherryBlos malware is engineered to steal cryptocurrency wallet-related credentials, and to replace a victims wallet address when they make withdrawals. Trend Micro said it had observed the malware operator using Telegram, TikTok, and X (the platform formerly known as Twitter), to display ads promoting fake Android apps containing the malware. The ads typically pointed to phishing sites that hosted the fake apps. Trend Micro said it had identified at least four fake Android apps containing CherrBlos: GPTalk, Happy Miner, Robot99, and SynthNet.
CherryBlos is similar to other
Android banking Trojans
in that it requires Androids
accessibility permissions
 in order to work. These are permissions for making Android apps more usable for users with disabilities, and include permissions for reading screen content out loud, automating repetitive tasks, and for alternate ways to interact with the device — such as using gestures. With CherryBlos, when a user opens the app, it displays a popup prompting the use to enable accessibility permissions, Trend Micro said.
Once installed on a device, CherryBlos retrieves two configuration files from its C2. It also uses multiple methods for persistence and to evade anti-malware controls. The malwares persistence mechanisms include automatically approving various permission requests and sending the user back to the home screen when they attempt to access the apps settings.
For the FakeTrade campaign, which features similar technology, the threat actor has so far used at least 31 fake Android apps to distribute the malware. Many of these fake apps have featured shopping-related themes and have claimed users could earn money by completing certain tasks or by purchasing additional credit in an application. Often when users fell for the lure and topped-up their accounts, they were subsequently unable to withdraw from it later.
Many of the apps in the FakeTrade campaign were available on Google Play in 2021 and for the first three quarters of 2022. But Google has removed all of the offending apps since then, Trend Micro said. Even so, FakeTrade and CherryBlos continue to present a significant threat for Android users: The threat actor behind these campaigns employed advanced techniques to evade detection, such as software packing, obfuscation, and abusing Androids Accessibility Service, according to the report.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CherryBlos Malware Uses OCR to Pluck Android Users Cryptocurrency