New Android Malware Uses Optical Character Recognition to Steal Login Credentials
Besides employing various channels for distribution, these malicious apps, named “CherryBlos” and “FakeTrade,” have been discovered by cybersecurity researchers at Trend Micro to use OCR (Optical Character Recognition) techniques to extract sensitive data from pictures. The shared network infrastructure and certificates indicate the involvement of the same threat actors behind these new Android malware strains. The distribution channels used by these apps include social media, phishing sites, Google Play, and other Android app stores.
Android Malware Use OCR
In April 2023, CherryBlos malware emerged as an APK file that was found to be promoted on Telegram, Twitter, and YouTube as:-
- AI tools
- Coin miners
All the malicious APK files were downloaded from domain-matching websites. Here below, we have mentioned the malicious APK file names and matching domains:-
APK files:
- GPTalk
- Happy Miner
- Robot999
- SynthNet
Matching domain names:
- chatgptc[.]io
- happyminer[.]com
- robot999[.]net
- synthnet[.]ai
Moreover, the SynthNet app, a malicious version, was downloaded around 1,000 times onĀ Google PlayĀ before being reported and removed.
CherryBlos malware targets crypto wallet credentials and alters withdrawal addresses since itās mainly designed to steal cryptocurrency wallet-related information.
The CherryBlos exploits accessibility service permissions to:-
- Fetch config files
- Auto-approve permissions
- Block app termination
Besides stealing cryptocurrency-related data, CherryBlos also has an extraordinary feature that enables OCR for text extraction from images on the device.
When EnableImage is true in the config, CherryBlos reads media files, applying OCR for potential mnemonic recognition.
Despite the risk, people save recovery phrase photos on devices, enable malware extracts, and send data to threat actors.
Moreover, the malware also hijacks the Binance app clipboard, then alters the recipient address with the attackerās, as this enables attackers to initiate illicit fund transfers stealthily.
Recommendations
Here below, we have mentioned all the recommendations offered by the security researchers at Trend Micro:-
- Always download apps from the Google Play store and official app stores that are trusted.
- Make sure to keep your system, software, and AV tools updated with the available security patches and updates.
- To block threats like these and other malware strains, make sure to install a robust and renowned AV solution.
- Before allowing any permissions to apps, make sure to cross-check each permissions carefully.
- Do not download any unknown attachments received via email.
- Suspicious links could be dangerous, so, do not click on any suspicious links.
InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec books
