Spyware Attack on Google Play: Malware CherryBlos and FakeTrade Targeting Android Users To Steal Sensitive Data Using Optical Character Recognition

CherryBlos malware was first seen spread in April 2023 in the form of an APK (Android package) file marketed on Telegram, Twitter, and YouTube as AI tools or cryptocurrency miners. The names used for the malicious APKs are GPTalk, Happy Miner, Robot999, and SynthNet, according to the report.

Android Malware Representational Image (Photo Credit: Pixabay)

San Francisco, July 30: Two new malware families targeting Android users have been discovered on Google Play, named CherryBlos and FakeTrade, which are designed to steal cryptocurrency credentials and funds or conduct scams using optical character recognition (OCR), a new report has said.

According to cybersecurity software company Trend Micro, both malware uses the same network infrastructure and certificates, indicating the same threat actors created them. The malicious apps are distributed through a variety of channels, including social media, phishing websites, and shopping apps on Google Play. Cyberattacks: 58% of Malware Families Sold As Service Are Ransomware, Shows Study.

CherryBlos malware was first seen spread in April 2023 in the form of an APK (Android package) file marketed on Telegram, Twitter, and YouTube as AI tools or cryptocurrency miners. The names used for the malicious APKs are GPTalk, Happy Miner, Robot999, and SynthNet, according to the report.

The downloaded malware CherryBlos (AndroidOS_CherryBlos.GCL), named because of the unique string used in its hijacking framework, can steal cryptocurrency wallet-related credentials, and replace victims’ addresses while they make withdrawals. In addition, a more interesting feature can be enabled, which uses OCR to remove text from photos and images.

“Once granted, CherryBlos will perform the following two tasks -- Read pictures from the external storage and use OCR to extract text from these pictures, and upload the OCR results to the C&C server at regular intervals,” the researchers wrote.

Moreover, another campaign that employed several fraudulent money-earning apps -- first uploaded to Google Play in 2021 -- involved the FakeTrade malware. Researchers discovered links to a Google Play campaign in which 31 scam apps known as "FakeTrade" used the same C2 network infrastructures and certifications as the CherryBlos apps, the report said.

These apps employ shopping themes or money-making entices to deceive users into watching commercials, committing to premium subscriptions, or topping up their in-app wallets while never allowing them to pay out the virtual prizes. Akira Ransomware Attack Warning: Government Issues Advisory Over Computer Malware Which Steals and Encrypts Data.

The applications have a similar interface and mostly target customers in Malaysia, Vietnam, Indonesia, the Philippines, Uganda, and Mexico, with the majority of them appearing on Google Play between 2021 and 2022.

(The above story first appeared on LatestLY on Jul 30, 2023 03:12 PM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).

Share Now

Share Now