CherryBlos malware was discovered in April this year and is known to disguise itself under app names like GPTalk, HappyMiner and SynthNet.
A new malware for Android might be stealing your sensitive information using Optical Character Recognition (OCR), a technology that is commonly used to extract text from images.
Recently discovered by Trend Micro, two new malware families dubbed ‘CherryBlos’ and ‘FakeTrade’ use the same infrastructure and certificates, suggesting they might be created by the same person or group of people.
These apps made use of numerous distribution channels like Telegram, Twitter and YouTube and were even available on the official Android app store – Google Play.
CherryBlos was first spotted earlier in April this year and was distributed in the form of an APK, acting either as an AI tool or coin miner. It often disguised itself as GPTalk, HappyMiner, Robot999 and SnythNet.
The last on the list was even uploaded to the Play Store, which was downloaded by more than a thousand users before it was reported and removed.
The malware makes use of Android’s accessibility service which prevents it from being killed and often uses fake user interfaces that look like official apps to steal passwords.
CherryBlos can also make use of OCR (optical character recognition) to read text from images stored on the device. When setting up a new crypto wallet, many people often take photos of their recovery codes and store them on their devices.
The malware can potentially make use of OCR to read and extract the recovery code, which can then be used to get access to your crypto wallet.
If you are a Binance user, CherryBlos can also change the crypto receiver’s address with the attacker while making the original address unchanged for the user. This allows it to redirect and steal the funds that are being transferred.
Trend Micro suggests the ‘FakeTrade’ campaign was a collective work of 31 apps that used the same network and certificate as CherryBlos. They tricked users by making them watch ads, sign up for premium subscriptions and top up in-app wallets for rewards without letting them cash out.
Source:indianexpress.com