New Android Malware CherryBlos Utilizing OCR to Steal Sensitive Data

Jul 29, 2023THNAndroid / Malware

A new Android malware strain called CherryBlos has been observed making use of optical character recognition (OCR) techniques to gather sensitive data stored in pictures.

CherryBlos, per Trend Micro, is distributed via bogus posts on social media platforms and comes with capabilities to steal cryptocurrency wallet-related credentials and act as a clipper to substitute wallet addresses when a victim copies a string matching a predefined format is copied to the clipboard.

Once installed, the apps seek users’ permissions to grant it accessibility permissions, which allows it to automatically grant itself additional permissions as required. As a defense evasion measure, users attempting to kill or uninstall the app by entering the Settings app are redirected back to the home screen.

Besides displaying fake overlays on top of legitimate crypto wallet apps to steal credentials and make fraudulent fund transfers to an attacker-controlled address, CherryBlos utilizes OCR to recognize potential mnemonic phrases from images and photos stored on the device, the results of which are periodically uploaded to a remote server.

The success of the campaign banks on the possibility that users tend to take screenshots of the wallet recovery phrases on their devices.

Trend Micro said it also found an app developed by the CherryBlos threat actors on the Google Play Store but without the malware embedded into it. The app, named Synthnet, has since been taken down by Google.

The threat actors also appear to share overlaps with another activity set involving 31 scam money-earning apps, dubbed FakeTrade, hosted on the official app marketplace based on the use of shared network infrastructure and app certificates.

Most of the apps were uploaded to the Play Store in 2021 and have been found to target Android users in Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.

“These apps claim to be e-commerce platforms that promise increased income for users via referrals and top-ups,” Trend Micro said. “However, users will be unable withdraw their funds when they attempt to do so.”

The disclosure comes as McAfee detailed a SMS phishing campaign against Japanese Android users that masquerades as a power and water infrastructure company to infect the devices with malware called SpyNote. The campaign took place in early June 2023.

“After launching the malware, the app opens a fake settings screen and prompts the user to enable the Accessibility feature,” McAfee researcher Yukihiro Okutomi said last week.

“By allowing the Accessibility service, the malware disables battery optimization so that it can run in the background and automatically grants unknown source installation permission to install another malware without the user’s knowledge.”

It’s no surprise that malware authors constantly seek new approaches to lure victims and steal sensitive data in the ever-evolving cyber threat landscape.

Google, last year, began taking steps to curb the misuse of accessibility APIs by rogue Android apps to covertly gather information from compromised devices by blocking sideloaded apps from using accessibility features altogether.

But stealers and clippers just represent one of the many kinds of malware – such as spyware and stalkerware – that are used to track targets and gather information of interest, posing severe threats to personal privacy and security.

New research published this week found that a surveillance app called SpyHide is stealthily collecting private phone data from nearly 60,000 Android devices around the world since at least 2016.

“Some of the users (operators) have multiple devices connected to their account, with some having as much as 30 devices they’ve been watching over a course of multiple years, spying on everyone in their lives,” a security researcher, who goes by the name maia arson crimew, said.

It’s therefore crucial for users to remain vigilant when downloading apps from unverified sources, verify developer information, and scrutinize app reviews to mitigate potential risks.

The fact that there is nothing stopping threat actors from creating bogus developer accounts on the Play Store to distribute malware hasn’t gone unnoticed by Google.

Earlier this month, the search giant announced that it will require all new developer accounts registering as an organization to provide a valid D-U-N-S number assigned by Dun & Bradstreet before submitting apps in an effort to build user trust. The change goes into effect on August 31, 2023.