Security researchers have warned of two related malware campaigns, dubbed as CherryBlos and FakeTrade, targeting Android users for cryptocurrency theft and other financially motivated scams.
The operators are distributing malware via fake Android apps on Google Play, social media platforms, and phishing sites. The campaigns spread across the regions, including Malaysia, Vietnam, Philippines, Indonesia, Uganda, and Mexico.
CherryBlos has a feature to use optical character recognition (OCR) to read any mnemonic phrases ( related to crypto wallet)that might be present in pictures on a compromised host device and to send that data to the C2 server.
The CherryBlos malware is engineered to steal cryptocurrency wallet-related credentials and to replace a victim’s wallet address when they make withdrawals. Researchers have observed the malware operator using Telegram, TikTok, and Twitter to display ads promoting fake Android apps containing the malware. The ads typically pointed to phishing sites that hosted the fake apps.
Like other Android banking Trojans, CherryBlos requires Android’s accessibility permissions in order to work. These are permissions for making Android apps more usable for users with disabilities, and include permissions for reading screen content out loud, automating repetitive tasks, and for alternate ways to interact with the device such as using gestures.
Once installed on a device, CherryBlos retrieves two configuration files from its C2. It also uses multiple methods for persistence and to evade anti-malware controls. The malware’s persistence mechanisms include automatically approving various permission requests and sending the user back to the home screen when they attempt to access the app’s settings.
At least four fake Android apps containing CherrBlos: GPTalk, Happy Miner, Robot99, and SynthNet have been discovered.
With respect to the FakeTrade campaign, the threat actor has so far used at least 31 fake Android apps to distribute the malware. Many of these fake apps have featured shopping-related themes and have claimed users could earn money by completing certain tasks or by purchasing additional credit in an application. Often, when users fell for the lure and topped up their accounts, they were subsequently unable to withdraw from it later.
Many of the apps in the FakeTrade campaign were available on Google Play in 2021 and for the first three quarters of 2022. But Google has removed all of the offending apps since then.
FakeTrade and CherryBlos continue to present a significant threat for Android users: The threat actor behind these campaigns employed advanced techniques to evade detection, such as software packing, obfuscation, and abusing Android’s Accessibility Service.
To defend against such mobile threats, users should adopt these best practices:
- Only download apps from trusted sources and reputable developers. Check app ratings and reviews before installing and be cautious of apps with many negative reviews or reports of scams.
- Apply the latest security patches and operating system updates for devices, as these often contain fixes for known vulnerabilities.
- Install and maintain a reputable mobile security solution to detect and block malware and other threats.
- Be cautious when granting permissions to apps, especially those requesting access to sensitive information or system settings.
- Avoid clicking on suspicious links or downloading attachments from unknown sources, as these could lead to malware infections or phishing attempts.
This research was documented by researchers from Trend Micro
Indicators of Compromise