Scroll Top

CherryBlos: New Android malware utilizes OCR to steal sensitive data


In a recent development, cybersecurity researchers at Trend Micro have discovered a new Android malware strain dubbed “CherryBlos” that employs sophisticated optical character recognition (OCR) techniques to pilfer sensitive data stored in images. The malware is distributed through deceptive posts on social media platforms and is equipped with capabilities to steal cryptocurrency wallet-related credentials, along with acting as a clipper to replace wallet addresses when a predefined format is detected on the clipboard.

Once CherryBlos finds its way onto a victim’s device, it cleverly seeks permission from the user to access various features, thereby granting itself additional permissions as needed. To evade detection, if a user attempts to uninstall the malicious app via the Settings app, they are redirected back to the home screen.

To carry out its nefarious activities, CherryBlos displays counterfeit overlays on legitimate cryptocurrency wallet apps, allowing it to harvest users’ credentials and execute fraudulent fund transfers to an address controlled by the attacker. Furthermore, the malware utilizes OCR technology to recognize mnemonic phrases from images and photos stored on the infected device, with the extracted data being periodically uploaded to a remote server.

The success of this cyber campaign heavily relies on users’ habits of capturing screenshots of their wallet recovery phrases, unwittingly providing the malware with the data it seeks.

Surprisingly, Trend Micro also found a seemingly legitimate app named “Synthnet” developed by the CherryBlos threat actors on the Google Play Store, although it did not contain the malware. Nevertheless, Google has since taken down the app as a precautionary measure.

This new threat group appears to have connections with another operation involving 31 fraudulent money-earning apps, collectively known as “FakeTrade,” which were hosted on the official app marketplace. Both campaigns share similarities in their use of shared network infrastructure and app certificates.

Most of these malicious apps were uploaded to the Play Store in 2021 and primarily targeted Android users in countries such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.

Adding to the growing concerns of Android malware, cybersecurity company McAfee has reported on a SMS phishing campaign targeting Japanese Android users in June 2023. This campaign disguised itself as a power and water infrastructure company, infecting devices with a malware called SpyNote. Once activated, this malware disabled battery optimization and granted unknown source installation permissions to install additional malware without the user’s knowledge.

The constantly evolving cyber threat landscape demands that malware authors explore new tactics to lure victims and steal sensitive data. While Google has taken steps to combat the misuse of accessibility APIs by rogue Android apps, threats like CherryBlos and SpyNote highlight the need for users to remain vigilant when downloading apps from unverified sources. Verifying developer information and scrutinizing app reviews can significantly reduce potential risks.

As a response to the growing concern over bogus developer accounts on the Play Store, Google has announced that starting August 31, 2023, all new developer accounts registering as organizations will be required to provide a valid D-U-N-S number assigned by Dun & Bradstreet. This measure aims to build user trust and curtail the distribution of malware through deceptive accounts.

In conclusion, the discovery of CherryBlos reinforces the importance of staying cautious and informed in the face of ever-evolving cyber threats, underscoring the significance of user vigilance, secure app downloads, and timely security updates to safeguard personal privacy and data.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.