The Google Play has discovered two new families of malicious programs for Android known as “Cherryblos” and “Faketrade”. These programs are responsible for stealing cryptocurrency and conducting fraud.
According to a report by IB-company Trend Micro, “Cherryblos” and “Faketrade” were found to spread through Google Play and other channels in order to steal accounting data and cryptocurrencies, as well as deceive users. It was revealed that both families of harmful programs utilize the same network infrastructure and certificates, suggesting that they share the same attackers.
The malicious program “Cherryblos” was first detected in April 2023 as an APK file, which was being distributed through platforms such as Telegram, Twitter*, and Youtube. It disguised itself as a cryptocurrency mining or miner application.
“Cherryblos” exploits the permissions of the Service Service Service to acquire configuration files from the C2 server and gain additional privileges to prevent removal from the system. It also uses fake user interfaces that mimic official cryptocurrency applications to collect user account information.
Additionally, the malware makes use of Optical Character Recognition (OCR) technology, commonly used to automate data entry processes and facilitate the analysis and search of textual information. This technology enables the recognition of text in various forms, including paper documents, photographs, screenshots, videos, and data streams from webcams.