In a significant discovery, security researchers from Trend Micro have stumbled upon a rare breed of Android malware called CherryBlos. This malicious software employs optical character recognition (OCR) to pilfer credentials displayed on the screens of infected smartphones.
What sets CherryBlos apart is the advanced techniques that allow it to remain stealthy and bypass typical security measures.
Image: “smartphone teen” by pabak sarkar
A Sophisticated Threat
CherryBlos has been embedded into several Android apps available outside of the Google Play Store, specifically on sites promoting money-making scams. Although one of the apps was briefly available on Google Play without the malicious payload, the researchers also discovered suspicious apps created by the same developers on the platform, though these apps were free from malware.
The malware is designed to be elusive and cleverly disguises its malicious functionality. It employs a paid version of commercial software, known as Jiagubao, to encrypt its code and code strings, making it difficult to detect malicious activities. The malware also utilizes techniques to ensure its persistence on infected phones. When users open legitimate apps related to cryptocurrency services, CherryBlos overlays fake windows that closely mimic the authentic apps.
During financial transactions, the malware stealthily replaces the victim’s intended wallet address with one controlled by the attacker. CherryBlos was embedded into the following apps available from these websites:
| Label | Package name | Phishing domain |
|---|---|---|
| GPTalk | com.gptalk.wallet | chatgptc[.]io |
| Happy Miner | com.app.happyminer | happyminer[.]com |
| Robot 999 | com.example.walljsdemo | robot999[.]net |
| SynthNet | com.miner.synthnet | synthnet[.]ai |
The malware has been embedded into at least four Android apps available outside of Google Play, specifically on sites promoting money-making scams. One of the apps was available for close to a month on Google Play but didn’t contain the malicious CherryBlos payload
OCR for Credential Theft
The most striking feature of CherryBlos is its novel use of optical character recognition. When legitimate apps display passphrases or sensitive information on the phone screen, the malware captures an image of the screen and then uses OCR to translate the image into a text format, effectively stealing crucial account access information. Once the credentials are acquired, CherryBlos uploads the data to a command-and-control (C&C) server at regular intervals.
To add to its evasive tactics, CherryBlos bypasses the typical screenshot restrictions often used by banking and finance apps. It does this by obtaining accessibility permissions, which are usually intended for users with vision impairments or other disabilities.
Image: “Malware Infection” by Visual Content
A Growing Threat
While OCR-based malware is a relatively rare phenomenon, CherryBlos represents a significant advancement in the techniques employed by malicious actors. The malware developers’ ingenuity lies in their ability to use advanced tools and evasion techniques to carry out their malicious activities.
The researchers at Trend Micro identified multiple other apps, most of which were hosted on Google Play, sharing the same digital certificate or attacker infrastructure as the CherryBlos apps. Though these apps did not contain the malware payload, their abnormal behavior warranted concern.
Protecting Yourself Against Malicious Apps
To safeguard against the threats posed by such malware, users can follow some best practices:
- Stick to Official App Stores: Avoid downloading apps from third-party sources and only use official app stores like Google Play or Apple’s App Store.
- Read Reviews: Before installing any app, read user reviews to identify any potential malicious behavior reported by other users.
- Review Permissions: Be cautious of apps that seek accessibility permissions or permissions that seem unnecessary for the app’s legitimate function.
- Stay Updated Keep your smartphone’s operating system and apps updated with the latest security patches and versions.
By adhering to these practices, users can significantly reduce the risk of falling victim to malicious apps like CherryBlos. As threats continue to evolve, vigilance and awareness are crucial in ensuring mobile device security. Stay safe!