CherryBlos Malware Uses OCR to Pluck Android Users' Cryptocurrency

Researchers this week warned of two related malware campaigns, dubbed CherryBlos and FakeTrade, targeting Android users for cryptocurrency theft and other financially motivated scams. The operators of the campaign are distributing the malware via fake Android apps on Google Play, social media platforms, and phishing sites.

In a report this week, Trend Micro said its researchers had discovered the two malware strains recently and had observed the malware using the same network infrastructure and application certificates. This points to the same threat actor being behind both campaigns, the researchers noted.

One, somewhat unusual — and dangerous — feature in CherryBlos is its ability to use optical character recognition (OCR) to read any mnemonic phrases that might be present in pictures on a compromised host device, and to send that data to its command-and-control server (C2). In the context of cryptocurrency, mnemonic phrases are what people use when they want to recover or restore a crypto wallet.

"From the language used by these samples, we determined that the threat actor doesn't have a specific targeted region, but targets victims across the globe, replacing resource strings and uploading these apps to different Google Play regions," Trend Micro said. These regions include Malaysia, Vietnam, Philippines, Indonesia, Uganda, and Mexico, the security vendor said.

The CherryBlos Campaign

The CherryBlos malware is engineered to steal cryptocurrency wallet-related credentials, and to replace a victim's wallet address when they make withdrawals. Trend Micro said it had observed the malware operator using Telegram, TikTok, and X (the platform formerly known as Twitter), to display ads promoting fake Android apps containing the malware. The ads typically pointed to phishing sites that hosted the fake apps. Trend Micro said it had identified at least four fake Android apps containing CherrBlos: GPTalk, Happy Miner, Robot99, and SynthNet.

CherryBlos is similar to other Android banking Trojans in that it requires Android's accessibility permissions in order to work. These are permissions for making Android apps more usable for users with disabilities, and include permissions for reading screen content out loud, automating repetitive tasks, and for alternate ways to interact with the device — such as using gestures. With CherryBlos, when a user opens the app, it displays a popup prompting the use to enable accessibility permissions, Trend Micro said.

Once installed on a device, CherryBlos retrieves two configuration files from its C2. It also uses multiple methods for persistence and to evade anti-malware controls. The malware's persistence mechanisms include automatically approving various permission requests and sending the user back to the home screen when they attempt to access the app's settings.

FakeTrade Campaign

For the FakeTrade campaign, which features similar technology, the threat actor has so far used at least 31 fake Android apps to distribute the malware. Many of these fake apps have featured shopping-related themes and have claimed users could earn money by completing certain tasks or by purchasing additional credit in an application. Often when users fell for the lure and topped-up their accounts, they were subsequently unable to withdraw from it later.

Many of the apps in the FakeTrade campaign were available on Google Play in 2021 and for the first three quarters of 2022. But Google has removed all of the offending apps since then, Trend Micro said. Even so, FakeTrade and CherryBlos continue to present a significant threat for Android users: "The threat actor behind these campaigns employed advanced techniques to evade detection, such as software packing, obfuscation, and abusing Android's Accessibility Service," according to the report.