New Android Malware CherryBlos Utilizing OCR to Steal Sensitive Data
A new Android malware strain called CherryBlos has been observed making use of optical character recognition (OCR) techniques to gather sensitive data stored in pictures.
CherryBlos, per Trend Micro, is distributed via bogus posts on social media platforms and comes with capabilities to steal cryptocurrency wallet-related credentials and act as a clipper to substitute wallet addresses when a victim copies a string matching a predefined format is copied to the clipboard.
Once installed, the apps seek users’ permissions to grant it accessibility permissions, which allows it to automatically grant itself additional permissions as required. As a defense evasion measure, users attempting to kill or uninstall the app by entering the Settings app are redirected back to the home screen.
Besides displaying fake overlays on top of legitimate crypto wallet apps to steal credentials and make fraudulent fund transfers to an attacker-controlled address, CherryBlos utilizes OCR to recognize potential mnemonic phrases from images and photos stored on the device, the results of which are periodically uploaded to a remote server.
The success of the campaign banks on the possibility that users tend to take screenshots of the wallet recovery phrases on their devices.
Trend Micro said it also found an app developed by the CherryBlos threat actors on the Google Play Store but without the malware embedded into it. The app, named Synthnet, has since been taken down by Google.
The threat actors also appear to share overlaps with another activity set involving 31 scam money-earning apps, dubbed FakeTrade, hosted on the official app marketplace based on the use of shared network infrastructure and app certificates.
Most of the apps were uploaded to the Play Store in 2021 and have been found to target Android users in Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.
“These apps claim to be e-commerce platforms that promise increased income for users via referrals and top-ups,” Trend Micro said. “However, users will be unable withdraw their funds when they attempt to do so.”
The disclosure comes as McAfee detailed a SMS phishing campaign against Japanese Android users that masquerades as a power and water infrastructure company to infect the devices with malware called SpyNote. The campaign took place in early June 2023.
“After launching the malware, the app opens a fake settings screen and prompts the user to enable the accessibility feature,” McAfee researcher Yukihiro Okutomi said last week.
“By allowing the accessibility service, the malware disables battery optimization so that it can run in the background and automatically grants unknown source installation permission to install another malware without the user’s knowledge.”
It’s no surprise that malware authors constantly seek new approaches to lure victims and steal sensitive data in the ever-evolving cyber threat landscape.
Google, last year, began taking steps to curb the misuse of accessibility APIs by rogue Android apps to covertly gather information from compromised devices by blocking sideloaded apps from using accessibility features altogether.
But stealers and clippers just represent one of the many kinds of malware – such as spyware and stalkerware – that are used to track targets and gather information of interest, posing severe threats to personal privacy and security.
New research published this week found that a surveillance app called SpyHide is stealthily collecting private phone data from nearly 60,000 Android devices around the world since at least 2016.
“Some of the users (operators) have multiple devices connected to their account, with some having as much as 30 devices they’ve been watching over a course of multiple years, spying on everyone in their lives,” a security researcher, who goes by the name maia arson crimew, said.
It’s therefore crucial for users to remain vigilant when downloading apps from unverified sources, verify developer information, and scrutinize app reviews to mitigate potential risks.
The fact that there is nothing stopping threat actors from creating bogus developer accounts on the Play Store to distribute malware hasn’t gone unnoticed by Google.
Earlier this month, the search giant announced that it will require all new developer accounts registering as an organization to provide a valid D-U-N-S number assigned by Dun & Bradstreet before submitting apps in an effort to build user trust. The change goes into effect on August 31, 2023.
Web Development Wizards https://zetds.seychellesyoga.com/info
Can provide a link mass to your website https://zetds.seychellesyoga.com/info
Your site’s position in the search results https://zetds.seychellesyoga.com/info
Free analysis of your website https://zetds.seychellesyoga.com/info
SEO Optimizers Team https://zetds.seychellesyoga.com/info
I offer mutually beneficial cooperation https://zetds.seychellesyoga.com/info
Cool website. There is a suggestion https://zetds.seychellesyoga.com/info
I really liked your site. Do you mind https://zetds.seychellesyoga.com/info
Here’s what I can offer for the near future https://zetds.seychellesyoga.com/info
You will definitely like it https://zetds.seychellesyoga.com/info
Content for your website https://ztd.bardou.online/adm
Web Development Wizards https://ztd.bardou.online/adm
Can provide a link mass to your website https://ztd.bardou.online/adm
Your site’s position in the search results https://ztd.bardou.online/adm
Free analysis of your website https://ztd.bardou.online/adm
SEO Optimizers Team https://ztd.bardou.online/adm
I offer mutually beneficial cooperation https://ztd.bardou.online/adm
Cool website. There is a suggestion https://ztd.bardou.online/adm
I really liked your site. Do you mind https://ztd.bardou.online/adm
Here’s what I can offer for the near future https://ztd.bardou.online/adm
Content for your website https://ztd.bardou.online/adm
Web Development Wizards https://ztd.bardou.online/adm
Can provide a link mass to your website https://ztd.bardou.online/adm
Your site’s position in the search results https://ztd.bardou.online/adm
Free analysis of your website https://ztd.bardou.online/adm
SEO Optimizers Team https://ztd.bardou.online/adm
I offer mutually beneficial cooperation https://ztd.bardou.online/adm
Cool website. There is a suggestion https://ztd.bardou.online/adm
Content for your website http://myngirls.online/
Web Development Wizards http://myngirls.online/
Can provide a link mass to your website http://myngirls.online/
Your site’s position in the search results http://myngirls.online/
Free analysis of your website http://myngirls.online/
SEO Optimizers Team http://myngirls.online/
I offer mutually beneficial cooperation http://myngirls.online/
Content for your website http://fertus.shop/info/
Web Development Wizards http://fertus.shop/info/
Can provide a link mass to your website http://fertus.shop/info/
Your site’s position in the search results http://fertus.shop/info/
Free analysis of your website http://fertus.shop/info/
SEO Optimizers Team http://fertus.shop/info/
I offer mutually beneficial cooperation http://fertus.shop/info/
Cool website. There is a suggestion http://fertus.shop/info/
I really liked your site. Do you mind http://fertus.shop/info/
Here’s what I can offer for the near future http://fertus.shop/info/
You will definitely like it http://fertus.shop/info/
The best prices from the best providers http://fertus.shop/info/
Additional earnings on your website http://fertus.shop/info/
Analytics of your website http://fertus.shop/info/
I would like to post an article http://fertus.shop/info/
How to contact the administrator on this issue http://fertus.shop/info/
Shall we exchange links? My website http://fertus.shop/info/
The offer is still valid. Details http://fertus.shop/info/
We offer cooperation on SEO optimization http://fertus.shop/info/
Content for your website http://fertus.shop/info/
Web Development Wizards http://fertus.shop/info/
Can provide a link mass to your website http://fertus.shop/info/
Content for your website http://fertus.shop/info/
Can provide a link mass to your website http://fertus.shop/info/
Free analysis of your website http://fertus.shop/info/
I offer mutually beneficial cooperation http://fertus.shop/info/
Thanks for sharing. I read many of your blog posts, cool, your blog is very good.
great article