Two new malware families targeting Android users have been discovered on Google Play, named CherryBlos and FakeTrade, which are designed to steal cryptocurrency credentials and funds or conduct scams using optical character recognition (OCR), a new report has said.

According to cybersecurity software company Trend Micro, both malware uses the same network infrastructure and certificates, indicating the same threat actors created them.

The malicious apps are distributed through a variety of channels, including social media, phishing websites, and shopping apps on Google Play.

CherryBlos malware was first seen spread in April 2023 in the form of an APK (Android package) file marketed on Telegram, Twitter, and YouTube as AI tools or cryptocurrency miners.

The names used for the malicious APKs are GPTalk, Happy Miner, Robot999, and SynthNet, according to the report.

The downloaded malware CherryBlos (AndroidOS_CherryBlos.GCL), named because of the unique string used in its hijacking framework, can steal cryptocurrency wallet-related credentials, and replace victims’ addresses while they make withdrawals.

Buy Me a Coffee

In addition, a more interesting feature can be enabled, which uses OCR to remove text from photos and images.

“Once granted, CherryBlos will perform the following two tasks — Read pictures from the external storage and use OCR to extract text from these pictures, and upload the OCR results to the C&C server at regular intervals,” the researchers wrote.

Moreover, another campaign that employed several fraudulent money-earning apps — first uploaded to Google Play in 2021 — involved the FakeTrade malware.

READ
UK Cracks Down on Russian Money Laundering Networks Supporting Global Cybercrime

Researchers discovered links to a Google Play campaign in which 31 scam apps known as “FakeTrade” used the same C2 network infrastructures and certifications as the CherryBlos apps, the report said.

These apps employ shopping themes or money-making entices to deceive users into watching commercials, committing to premium subscriptions, or topping up their in-app wallets while never allowing them to pay out the virtual prizes.

The applications have a similar interface and mostly target customers in Malaysia, Vietnam, Indonesia, the Philippines, Uganda, and Mexico, with the majority of them appearing on Google Play between 2021 and 2022.