Researchers have issued a warning about two interconnected malware campaigns, CherryBlos and FakeTrade, targeting Android users for cryptocurrency theft and other financially-motivated scams. The operators of these campaigns are spreading the malware through fake Android apps on Google Play, social media platforms, and phishing sites.
Trend Micro researchers observed that both malware strains use the same network infrastructure and application certificates, suggesting a common threat actor behind both operations.
CherryBlos, one of the malware strains, possesses a dangerous feature where it can utilize optical character recognition (OCR) to read mnemonic phrases in pictures on compromised devices, sending the data to its command-and-control server.
This capability allows the malware to target cryptocurrency wallets effectively. The threat actor responsible for these campaigns seems to have a global approach, targeting victims across multiple regions, including Malaysia, Vietnam, Philippines, Indonesia, Uganda, and Mexico, by uploading apps with replaced resource strings to various Google Play regions.
The CherryBlos campaign is focused on stealing cryptocurrency wallet-related credentials and replacing victims’ wallet addresses during withdrawals. The malware operators promote fake Android apps containing CherryBlos through platforms like Telegram, TikTok, and X, leading victims to phishing sites hosting the malicious apps. Similarly, the FakeTrade campaign, using at least 31 fake Android apps, entices users with shopping-related themes and promises of earning money through specific tasks or purchasing additional credits.
Despite Google’s removal of the fake apps, both CherryBlos and FakeTrade pose significant threats to Android users due to the threat actor’s advanced evasion techniques, including software packing, obfuscation, and exploitation of Android’s Accessibility Service. Users are advised to be cautious and refrain from downloading suspicious apps or granting excessive permissions to safeguard against such attacks.