In a significant discovery, security researchers from Trend Micro have stumbled upon a rare breed of Android malware called CherryBlos. This malicious software employs optical character recognition (OCR) to pilfer credentials displayed on the screens of infected smartphones.
What sets CherryBlos apart is the advanced techniques that allow it to remain stealthy and bypass typical security measures.
CherryBlos has been embedded into several Android apps available outside of the Google Play Store, specifically on sites promoting money-making scams. Although one of the apps was briefly available on Google Play without the malicious payload, the researchers also discovered suspicious apps created by the same developers on the platform, though these apps were free from malware.
The malware is designed to be elusive and cleverly disguises its malicious functionality. It employs a paid version of commercial software, known as Jiagubao, to encrypt its code and code strings, making it difficult to detect malicious activities. The malware also utilizes techniques to ensure its persistence on infected phones. When users open legitimate apps related to cryptocurrency services, CherryBlos overlays fake windows that closely mimic the authentic apps.
During financial transactions, the malware stealthily replaces the victim’s intended wallet address with one controlled by the attacker. CherryBlos was embedded into the following apps available from these websites:
Label | Package name | Phishing domain |
---|---|---|
GPTalk | com.gptalk.wallet | chatgptc[.]io |
Happy Miner | com.app.happyminer | happyminer[.]com |
Robot 999 | com.example.walljsdemo | robot999[.]net |
SynthNet | com.miner.synthnet | synthnet[.]ai |
The most striking feature of CherryBlos is its novel use of optical character recognition. When legitimate apps display passphrases or sensitive information on the phone screen, the malware captures an image of the screen and then uses OCR to translate the image into a text format, effectively stealing crucial account access information. Once the credentials are acquired, CherryBlos uploads the data to a command-and-control (C&C) server at regular intervals.
To add to its evasive tactics, CherryBlos bypasses the typical screenshot restrictions often used by banking and finance apps. It does this by obtaining accessibility permissions, which are usually intended for users with vision impairments or other disabilities.
While OCR-based malware is a relatively rare phenomenon, CherryBlos represents a significant advancement in the techniques employed by malicious actors. The malware developers’ ingenuity lies in their ability to use advanced tools and evasion techniques to carry out their malicious activities.
The researchers at Trend Micro identified multiple other apps, most of which were hosted on Google Play, sharing the same digital certificate or attacker infrastructure as the CherryBlos apps. Though these apps did not contain the malware payload, their abnormal behavior warranted concern.
To safeguard against the threats posed by such malware, users can follow some best practices:
By adhering to these practices, users can significantly reduce the risk of falling victim to malicious apps like CherryBlos. As threats continue to evolve, vigilance and awareness are crucial in ensuring mobile device security. Stay safe!