Two new Android malware variants named 'CherryBlos' and 'FakeTrade' have been discovered on Google Play. These malicious programs have a common purpose of pilfering cryptocurrency credentials and funds, as well as engaging in fraudulent activities.
Both malware families share identical network infrastructure and certificates, leading experts to conclude that they were crafted by the same threat actors.
These applications utilise diverse distribution channels, encompassing social media platforms, phishing websites and deceptive shopping apps that are available on Google Play.
CherryBlos malware
In April 2023, the CherryBlos malware made its debut and was disseminated in the form of an APK (Android package) file. This software was cleverly marketed on platforms such as Telegram, Twitter, and YouTube, masquerading as AI tools or coin miners to deceive potential victims.
The malicious APKs, namely GPTalk, Happy Miner, Robot999, and SynthNet, were acquired from corresponding websites with domain names as follows:
chatgptc[.]io
happyminer[.]com
robot999[.]net
synthnet[.]ai
One of the rogue apps, SynthNet, managed to find its way onto the Google Play store. It was downloaded approximately a thousand times before being flagged, reported, and then taken down to prevent further harm.
CherryBlos is a harmful program designed to steal cryptocurrency by exploiting Accessibility service permissions. It acquires two configuration files from a command-and-control (C2) server, grants itself extra permissions automatically, and blocks users from terminating the compromised app.
To steal cryptocurrency credentials and assets, CherryBlos employs a variety of tactics, with the primary approach involving the use of counterfeit user interfaces that imitate legitimate apps. These fake interfaces are employed to engage in phishing attempts and deceive users into providing their sensitive credentials.
On the other hand, a particularly fascinating capability can be activated, allowing the utilisation of OCR (optical character recognition) to extract text from images and photos stored on the device.
For instance, during the setup of new cryptocurrency wallets, users are provided with a recovery phrase or password comprising 12 or more words. This recovery phrase serves to regain access to the wallet on a computer in case of loss or device changes.
Upon displaying these words, users are encouraged to record them meticulously and store them in a secure location. This precaution is crucial because possession of this recovery phrase grants anyone the ability to add the crypto wallet to their device and gain access to the funds within it.
Although strongly advised against, individuals continue to capture photos of their recovery phrases, often saving these images on computers and mobile devices.
Enabling this malware feature could have critical consequences, as it may utilise OCR to extract the recovery phrase from the images, enabling malicious actors to steal the wallet.
The pilfered data is subsequently transmitted back to the threat actors' servers at periodic intervals, as illustrated below.
The malware functions as a clipboard hijacker specifically targeting the Binance app. It accomplishes this by swapping the recipient's cryptocurrency address with one controlled by the attackers. Interestingly, the user perceives no change, as the original address remains visually unchanged.
This malicious behaviour empowers threat actors to reroute payments meant for users into their own wallets, effectively siphoning off the transferred funds.
FakeTrade scam
Regarding the "FakeTrade" campaign, analysts made significant discoveries on Google Play. A total of 31 fraudulent applications collectively known as "FakeTrade" were identified, exhibiting close ties to the CherryBlos apps in terms of shared C2 network infrastructures and certificates.
These deceitful apps employ enticing shopping themes and alluring money-making schemes to deceive users. They coax individuals into watching ads, subscribing to premium services, or depositing funds into their in-app wallets. However, these virtual rewards are designed never to be cashed out.
The apps boast a similar interface and primarily target users in countries like Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico. Most of these fraudulent apps were uploaded onto Google Play between 2021 and 2022.
Google have reported that the malware apps have been removed from Google Play, but unfortunately following the thousands of users that had already downloaded these apps, manual clean ups may be required on the devices that have been infected.
