New CherryBlos malware integrates into Android apps

A team of researchers has discovered a new ‘malware’ embedded in applications for Android phones, called CherryBlos, which uses optical character recognition to steal credentials.

Cybersecurity specialists at Trend Micro’s Mobile Application Service (MARS) have warned of a new family of ‘malware’ for Google’s operating system that is involved in cryptocurrency mining and financial scam campaigns.

Initially appearing in April 2023, CherryBlos would have initially been distributed via Telegram and would be present in four different Android apps: GPTalk, Happy Miner, Robot 999, and SynthNet. It is designed to steal credentials related to cryptocurrency transactions and is capable of replacing the addresses used when withdrawing assets from these wallets.

From Trend Micro they remind that, like most modern banking Trojans, CherryBlos “requires accessibility permissions to work”, so that when the user opens the infected application, a pop-up dialog is displayed asking users to enable accessibility permissions. Once it has obtained these permissions, CherryBlos requests two configuration files from the command and control (C&C) server, an address that is stored as a resource string, and communication occurs over HTTPS.

CherryBlos malware steals users’ passwords

To steal the credentials or assets of the wallets, CherryBlos employs different techniques. One of them is to implement a fake pop-up user interface when starting official applications. In fact, it checks the wallet apps that the user has installed on their device to launch a fake one when it detects activity.

It uses the Accessibility Service, a system that monitors activity and, when detected, uses StartActivity to launch the rogue applications in order to trick victims into entering their login credentials. Once the victims enter their passwords and click on the ‘confirm’ button, they are transmitted to the C&C server.

Another theft technique it employs involves spoofing the user interface to modify the withdrawal address so that it goes to a legitimate Binance ‘app’ controlled by cybercriminals.

The malware identifies three keywords during the activity: ‘Withdraw’, ‘Confirm’ and ‘Send’. Once detected, the malware uses the Accessibility service to decipher other elements, such as the type of currency used in that transaction. After overlaying a rogue interface onto the infected application, the asset purchase is complete, and the assets are transferred to an address controlled by the attacker.

Trend Micro has also commented that CherryBlos is capable of reading media files stored on external storage and that it can use optical character recognition (OCR) to recognize mnemonic passwords used to gain account access. This means that when legitimate apps display passphrases on phone screens, this malware can take an image of the screen and then use OCR to translate what appears on the screen into a text format, which is can use to compromise the account.

As you remember from Ars Technica, most of the applications related to banking and sureties use a setting that prevents taking screenshots during confidential transactions and that this malware seems to circumvent these restrictions. This is possible because it gets accessibility permissions used by people with vision problems.

Source: dpa

(Reference image source: Unsplash, in collaboration with Getty Images)

Visit our news channel on Google News and follow us to get accurate, interesting information and stay up to date with everything. You can also see our daily content on Twitter and Instagram