Two malware campaigns, CherryBlos and FakeTrade, are targeting Android users in an attempt to steal cryptocurrency and perpetrate financially motivated scams. Researchers from cybersecurity firm Trend Micro recently discovered these malware strains and found that they are being distributed through fake Android apps on Google Play, social media platforms, and phishing sites. The similarities between the network infrastructure and application certificates used by these malwares suggest that they are the work of the same threat actor.
One notable and dangerous feature of CherryBlos is its ability to utilize optical character recognition (OCR) to extract mnemonic phrases from pictures on compromised devices. These mnemonic phrases are often used in the context of cryptocurrency as a means to recover or restore a crypto wallet. By sending this data to its command-and-control server, CherryBlos can steal cryptocurrency wallet-related credentials and replace victims’ wallet addresses during withdrawals.
Trend Micro noted that the threat actor responsible for these campaigns does not target a specific region but instead focuses on victims globally. The malware has been found in various Google Play regions, including Malaysia, Vietnam, Philippines, Indonesia, Uganda, and Mexico.
The CherryBlos campaign relies on platforms like Telegram, TikTok, and Twitter to promote fake Android apps containing the malware. These platforms display ads that direct users to phishing sites hosting the malicious apps. Trend Micro has identified four fake Android apps associated with CherryBlos: GPTalk, Happy Miner, Robot99, and SynthNet.
Similar to other Android banking Trojans, CherryBlos requires accessibility permissions to function properly. These permissions enable features that assist users with disabilities, such as reading screen content aloud and automating repetitive tasks. When a user opens the CherryBlos app, a popup appears, requesting the user to enable accessibility permissions.
Once installed on a device, CherryBlos retrieves configuration files from its command-and-control server and employs various techniques to persist and evade anti-malware controls. It automatically approves permission requests and redirects users to the home screen when they try to access the app’s settings.
The FakeTrade campaign shares similarities with CherryBlos, as it also employs advanced techniques to target Android users. The threat actor behind FakeTrade has used at least 31 fake Android apps to distribute the malware. Many of these apps have shopping-related themes and claim that users can earn money by completing tasks or purchasing additional credit. However, when users attempt to withdraw the money they earned or added, they find themselves unable to do so.
Although many of the FakeTrade apps were available on Google Play from 2021 to the first three quarters of 2022, Google has since removed all of them. However, both FakeTrade and CherryBlos remain significant threats to Android users. The threat actor responsible for these campaigns employs techniques like software packing, obfuscation, and abuse of Android’s Accessibility Service to evade detection.
With the increasing popularity of cryptocurrencies, it is crucial for Android users to exercise caution when downloading apps and managing their digital wallets. It is advisable to only download apps from trusted sources like the official Google Play Store and to enable two-factor authentication for all cryptocurrency transactions. Additionally, users should regularly update their devices, employ effective anti-malware software, and be wary of suspicious links or requests for sensitive information. By taking these precautions, Android users can better protect themselves against malware campaigns like CherryBlos and FakeTrade.