CherryBlos and FakeTrade: New Android Malware Stealing Cryptocurrency on Google Play

By Ava McKinneyOnline Safety

New Android Malware Families Discovered on Google Play

Two new families of Android malware, CherryBlos and FakeTrade, have been discovered on Google Play, targeting users’ cryptocurrency and engaging in fraud. According to a report by cybersecurity company Trend Micro, these malicious apps are distributed through Google Play and other channels to steal credentials, cryptocurrency, and deceive users. Both malware families use the same network infrastructure and certificates, indicating they are operated by the same group of attackers.

CherryBlos Malware

CherryBlos was first detected in April 2023 as an APK file distributed via Telegram, Twitter*, and YouTube, disguised as an AI tool or cryptocurrency miner. CherryBlos abuses Accessibility Service permissions to obtain configuration files from its command-and-control (C2) server and to gain additional privileges, making it harder to remove from the system.

This malware uses fake user interfaces that mimic official cryptocurrency apps to collect user credentials. Additionally, CherryBlos employs Optical Character Recognition (OCR) to extract text from screenshots and photos stored on the device, specifically targeting wallet recovery phrases that users may have photographed and saved in their gallery.

CherryBlos also acts as a clipboard hijacker (clipper) for the Binance app, automatically replacing the recipient’s cryptocurrency address with the attacker’s address, while the original address remains unchanged for the user, making the theft harder to detect.

FakeTrade Malware

FakeTrade consists of 31 fraudulent apps themed around shopping or money-making schemes. These apps force users to watch ads, agree to Premium subscriptions, or make in-app purchases, but do not allow users to cash out their virtual rewards.

The apps primarily target users in Malaysia, Vietnam, Indonesia, the Philippines, Uganda, and Mexico, and were uploaded to Google Play between 2021 and 2022. Although Google has removed these malicious apps from Google Play, thousands of users had already downloaded them and may need to manually clean their devices.

Stay Safe

  • Be cautious when downloading apps, even from official stores like Google Play.
  • Check app reviews and developer information before installing.
  • Regularly update your device and security software.
  • If you suspect your device is infected, consider performing a manual cleanup or factory reset.

Leave a Reply