uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

Using OCR, the new Android malware CherryBlos steals sensitive data.

In order to collect private information contained in images, a new Android malware strain known as CherryBlos has been seen using optical character recognition (OCR) methods.

CherryBlos, according to Trend Micro, is spread through phony social media posts and has the ability to steal cryptocurrency wallet-related credentials as well as act as a clipper to replace wallet addresses when a victim copies a string that matches a predefined format to the clipboard.

Once installed, the apps ask for users' permission to grant them accessibility permissions, which enables it to automatically grant itself additional permissions as necessary. Users who try to kill or uninstall an app by going to the Settings app are sent back to the home screen as a defense evasion measure.

CherryBlos uses OCR to identify potential mnemonic phrases from images and photos stored on the device, with the results of which are routinely uploaded to a remote server.
CherryBlos displays fake overlays on top of legitimate cryptocurrency wallet apps to steal credentials and make fraudulent fund transfers to an attacker-controlled address.

The campaign's success depends on the likelihood that users will frequently screenshot the wallet recovery phrases on their devices.

The CherryBlos threat actors also released an app on the Google Play Store, according to Trend Micro, but it was free of malware. Google has since removed the Synthnet app.

Based on the use of shared network infrastructure and app certificates, the threat actors also seem to have overlaps with another activity set involving 31 fraudulent money-making apps called FakeTrade that are hosted on the official app marketplace.

It has been discovered that the majority of the apps, which were uploaded to the Play Store in 2021, are directed at Android users in Malaysia, Vietnam, Indonesia, the Philippines, Uganda, and Mexico.

According to Trend Micro, these apps represent purported e-commerce platforms that promise users will earn more money through recommendations and top-ups. But when users try to withdraw money, they won't be able to. ".

The revelation coincides with McAfee's disclosure of a SMS phishing campaign against Japanese Android users that poses as a power and water infrastructure company in order to infect the devices with SpyNote malware.
Early in June 2023 was the time of the campaign.

According to a McAfee researcher Yukihiro Okutomi, "after the malware has been launched, the app opens a fake settings screen and asks the user to enable the Accessibility feature.".

By allowing the Accessibility service, the malware turns off battery optimization so that it can operate in the background and automatically gives unknown source installation permission to install additional malware without the user's knowledge. ".

Malware for Android CherryBlos.
The constant evolution of the cyber threat landscape doesn't come as a surprise to malware developers, who are always looking for fresh ways to seduce victims and steal personal information.

By forbidding sideloaded apps from using accessibility features at all, Google started taking action last year to stop rogue Android apps from using accessibility APIs to covertly gather data from compromised devices.

However, stealers and clippers are only one of the many varieties of malware, including spyware and stalkerware, that are used to track targets and gather relevant information, posing serious risks to individual security and privacy.

According to recent research, SpyHide, an Android surveillance app, has been secretly gathering private phone data from nearly 60,000 Android devices worldwide since at least 2016.

According to a security researcher who goes by the name of maia arson crimew, some of the users (operators) have several devices connected to their accounts, with some having as many as 30 devices they've been monitoring over the course of several years, spying on everyone in their lives.

Therefore, in order to minimize risks, users must exercise caution when downloading apps from unreliable sources, check developer information, and carefully read app reviews.

Google has taken note of the fact that nothing is stopping threat actors from opening phony developer accounts on the Play Store in order to disseminate malware.

In an effort to increase user trust, the search engine giant announced earlier this month that it would require all new developer accounts registering as organizations to provide a valid D-U-N-S number assigned by Dun and Bradstreet before submitting apps. The modification is effective as of August 31, 2023.