Cybersecurity scholars this week have raised alarms about two intertwined malware campaigns, CherryBlos and FakeTrade. Android users globally are the targets, falling prey to cryptocurrency larceny and sundry monetary frauds. The architects of these campaigns cunningly distribute the malware through counterfeit Android apps on Google Play, social media platforms, and scam-ridden sites.
A glimpse into CherryBlos and FakeTrade
Trend Micro’s report this week highlights the discovery of these malware strains, both operating through shared network infrastructure and application certificates. Such overlapping attributes suggest a common malefactor behind both malicious campaigns.
CherryBlos possesses an unconventional, yet alarming, feature: Optical Character Recognition (OCR). It empowers the malware to scrutinize mnemonic phrases in images on a compromised host device and relay this information to its command-and-control server (C2). These phrases are crucial when recovering or restoring a crypto wallet.
The cybercriminals show no regional preference, targeting victims globally. The malware is tweaked to adapt to various Google Play regions, including Malaysia, Vietnam, the Philippines, Indonesia, Uganda, and Mexico.
Delving into CherryBlos
The CherryBlos malware, specializing in purloining cryptocurrency wallet-related credentials, manipulates the victim’s wallet address during withdrawals. The threat actor uses social media platforms, including Telegram, TikTok, and X (previously Twitter), to advertise counterfeit Android apps laden with malware, directing users to phishing sites hosting these bogus apps. Noteworthy decoy apps include GPTalk, Happy Miner, Robot99, and SynthNet.
To function, CherryBlos, akin to other Android banking Trojans, necessitates Android’s accessibility permissions. Upon launching the app, a prompt nudges the user to enable these permissions. Once entrenched in a device, CherryBlos retrieves configuration files from its C2, utilizing multiple strategies for persistence and malware control evasion.
The FakeTrade campaign
As for the FakeTrade campaign, it employs similarly cunning techniques, using a plethora of counterfeit Android apps for malware dissemination. Many of these apps lure users in with the prospect of earning money through task completion or additional credit purchase. However, users soon find themselves unable to withdraw their funds.
Although Google Play purged these fake apps, the threat of CherryBlos and FakeTrade persists, exploiting sophisticated evasion tactics such as software packing, obfuscation, and Android’s Accessibility Service abuse.
Concluding remarks
The nefarious evolution of malware campaigns demands our constant vigilance. How do you safeguard your digital assets from such threats? We invite you to share your experiences and recommendations in the comments section below.
