CherryBlos Mobile Malware Hides in Fake Google Play Apps

A warning has been issued by researchers regarding two malware campaigns named CherryBlos and FakeTrade, aimed at targeting Android users for cryptocurrency theft and other financially motivated scams. The cybercriminals behind these campaigns have been distributing the malware through fake Android applications on Google Play, social media platforms, and phishing websites.

Trend Micro, in a recent report, revealed that its researchers had recently discovered both malware strains and had noticed that they were utilizing the same network infrastructure and application certificates. This indicates that the same threat actor is likely responsible for both campaigns.

CherryBlos stands out due to its ability to employ optical character recognition (OCR) to read mnemonic phrases in images on compromised devices and then transmit this data to its command-and-control server (C2). These mnemonic phrases are used in cryptocurrency to facilitate the recovery or restoration of a crypto wallet. The threat actor behind this malware doesn't appear to target a specific region but rather victims worldwide. They replace resource strings and upload these malicious apps in different Google Play regions, including Malaysia, Vietnam, Philippines, Indonesia, Uganda, and Mexico.

CherryBlos Goes After Crypto Wallets

The CherryBlos campaign focuses on stealing cryptocurrency wallet-related credentials and altering a victim's wallet address during withdrawals. To promote the fake Android apps containing the malware, the operator uses platforms like Telegram, TikTok, and X (formerly known as Twitter) to display ads. These ads typically direct users to phishing sites hosting the malicious apps. Some of the identified fake Android apps containing CherryBlos include GPTalk, Happy Miner, Robot99, and SynthNet.

Similar to other Android banking Trojans, CherryBlos requires accessibility permissions to function. These permissions are designed to improve usability for users with disabilities, enabling features like reading screen content out loud, automating tasks, and providing alternate ways to interact with the device. When a user opens the app containing CherryBlos, a popup prompts them to enable accessibility permissions.

Once CherryBlos is installed on a device, it retrieves two configuration files from its C2 and deploys various methods to persist and avoid anti-malware controls. The malware's persistence mechanisms include automatically granting permission requests and redirecting users to the home screen when they try to access the app's settings.

In the FakeTrade campaign, the threat actor used at least 31 fake Android apps to distribute the malware. Many of these apps had shopping-related themes and claimed users could earn money by completing tasks or purchasing additional credits. However, users who fell for this were unable to withdraw their earnings later. Although Google removed all the fake apps associated with the FakeTrade campaign from the Play Store in 2021 and the first three quarters of 2022, the malware still poses a significant threat to Android users. The cybercriminals employed advanced evasion techniques such as software packing, obfuscation, and exploiting Android's Accessibility Service.

Overall, the CherryBlos and FakeTrade campaigns have highlighted the need for constant vigilance when using Android devices. Users should exercise caution while downloading applications and be wary of enticing offers that seem too good to be true. Regularly updating security software and being aware of phishing attempts can help protect against such malicious campaigns.