Cybercriminals continue to come up with clever new tactics to steal your passwords and drain your banking and other financial accounts using Android malware.
As reported by BleepingComputer, two new Android malware families named CherryBlos and FakeTrade have been discovered on the Google Play Store by the cybersecurity firm Trend Micro. However, it’s worth noting that these malicious apps aren’t exclusive to the Play Store as they’re also being distributed on social media and via phishing sites as installable APK files.
According to a blog post, Trend Micro first observed the CherryBlos malware being distributed as an APK beginning in April of this year. The malware was promoted on Telegram, Twitter and YouTube as an AI-powered cryptocurrency mining app called SynthNet. The SynthNet app was also distributed via the Play Store but fortunately, it was only downloaded a few thousand times before it was removed by Google.
As for FakeTrade, Trend Micro’s security researchers managed to find a connection between the two malware strains as the hackers behind it were using the same command and control (C&C) network infrastructure and certificates as the malicious apps infecting unsuspecting users with the CherryBlos malware.
Leveraging OCR to steal passwords
While malicious apps stealing passwords to drain banking and crypto accounts are nothing new, CherryBlos does have an interesting trick up its sleeve we’ve yet to see with any other Android malware.
CherryBlos employs a number of different tactics to steal passwords and crypto, though the main one it uses is fake overlays. These overlays appear on top of legitimate banking and crypto apps and are used by the hackers behind this campaign to steal victims’ usernames and passwords.
In addition to this, the CherryBlos malware uses optical character recognition (OCR) to steal passwords. If OCR sounds familiar, that’s because it’s a feature found in many of the best PDF editors as it allows them to extract text from images and photos.
In this case though, the hackers behind this campaign are using OCR to extract passwords from screenshots stored on victims’ smartphones. While you should never take screenshots of your passwords, many people still do this despite the risk, especially with the recovery phrases for their cryptocurrency accounts. Once these passwords have been extracted from photos, all of this data is then sent back to the hackers.
FakeTrade connection
Besides shedding light on the CherryBlos malware, Trend Micro has also provided insights on another campaign, which uses 31 scam apps to distribute the FakeTrade malware.
These scam apps use shopping themes or money-making lures in order to trick users into watching ads, signing up for premium subscriptions or to top off their in-app wallets. However, they are never actually allowed to cash out their virtual rewards.
According to Google, all of these scam apps have now been removed from the Play Store while others were distributed as APK files that needed to be sideloaded. However, if you have any installed on one of the best Android phones, you’re going to need to remove them manually. Here’s the list of all of the 31 scam apps distributing the FakeTrade malware:
- Ama
- BBShop
- Canyon
- Compass
- Domo
- Envoy
- Fiar
- FIRETOSS
- Gobuy
- Godo
- Goshop
- Huge
- Koofire
- Leefire
- Moshop
- NTBuy
- OneFire
- Papaya
- Pudding
- Saya
- Sengre
- Smartz
- Tango
- Timeshop
- Tinuiti
- Upwork
- WebFX
- Youtech
It’s worth noting that a few of these malicious apps like Upwork and WebFX are impersonating actual businesses. To be on the safe side though, you should remove all of them from your smartphone right now.
How to protect your passwords and stay safe from Android malware
Instead of writing your passwords down on paper or taking screenshots of them, using one of the best password managers lets you securely store them all in one place. At the same time, you don’t have to remember them all and can just remember the master password to your password manager instead.
As for Android malware, installing one of the best Android antivirus apps on your smartphone can help keep you safe as they scan both your existing apps and any new ones you download for viruses. Google Play Protect, which comes pre-installed on most Android phones, does the exact same thing but you often get some nice extras with paid Android antivirus apps like a VPN or even a password manager.
Now that we’ve seen the CherryBlos malware utilize OCR to steal passwords from infected phones, I wouldn’t be surprised if other hackers added this same functionality to their own malware in the future. This is why you shouldn’t screenshot anything you don’t want to end up in the hands of hackers.