CherryBlos malware uses OCR to scan victims photos for passwords

Hotstar in UAE
Hotstar in UAE

Over the past few years, it’s no secret that threat actors have ramped up their efforts to gain unauthorized access and steal your hard-earned money. As part of these efforts, hackers have developed two new cryptocurrency stealer malware named ‘CherryBlos’ and ‘FakeTrade,’ which use optical character recognition (OCR) to scan victims’ photos for sensitive information, such as passwords.

First discovered by Trend Micro and in distribution since April 2023, the CherryBlos malware spreads through various social media networks, deceiving unsuspecting users by disguising itself as innocent AI tools or coin miners. Once installed, the malware requests permission to access crucial functionalities and then grants itself additional privileges, making it difficult for a user to stop its harmful activities.

While the malware primarily uses common tactics like loading fake user interfaces that closely mimic official apps to phish for login credentials, it also utilizes OCR to extract valuable data from images and photos stored on the infected device. This is because many cryptocurrency wallets have a recovery password in case a user forgets their main one. However, users often take screenshots of the recovery password, and OCR allows the malware to search for such screenshots and upload them to a remote server, putting the victim’s sensitive data at significant risk.

In addition to the CherryBlos malware, the same threat actors were also behind the broad FakeTrade campaign, which involved a staggering 31 scam money-earning apps on the Play Store, targeting users in Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.

Evading Play Store guidelines

While threat actors spreading malware through various channels isn’t new, the fact that one of these malicious APKs, namely Synthnet, made its way onto Google Play, masquerading as a legitimate application, raises serious concerns. Fortunately, Google swiftly intervened and removed the app before it could cause any significant harm, but the app did accumulate over a thousand downloads.

In response to threats like these, Google will require all new developer accounts registering as organizations, starting from August 31, 2023, to provide a valid D-U-N-S number assigned by Dun & Bradstreet before submitting apps. This move will not only prevent the misuse of the platform for distributing malware but also improve overall security.

2023-07-31 15:12:52