reader comments
16 with
Security researchers have unearthed a rare malware find: malicious Android apps that use optical character recognition to steal credentials displayed on phone screens.
The malware, dubbed CherryBlos by researchers from security firm Trend Micro, has been embedded into at least four Android apps available outside of Google Play, specifically on sites promoting money-making scams. One of the apps was available for close to a month on Google Play but didn’t contain the malicious CherryBlos payload. The researchers also discovered suspicious apps on Google Play that were created by the same developers, but they also didn’t contain the payload.
Advanced techniques
The apps took great care to conceal their malicious functionality. They used a paid version of commercial software known as Jiagubao to encrypt code and code strings to prevent analysis that can detect such functionality. They also featured techniques to ensure the app remained active on phones that had installed it. When users opened legitimate apps for Binance and other cryptocurrency services, CherryBlos overlaid windows that mimicked those of the legitimate apps. During withdrawals, CherryBlos replaced the wallet address the victim selected to receive the funds with an address controlled by the attacker.
The most interesting aspect of the malware is its rare, if not novel, feature that allows it to capture mnemonic passphrases used to gain access to an account. When the legitimate apps display passphrases on phone screens, the malware first takes an image of the screen and then uses OCR to translate the image into a text format that can be used to raid the account.
“Once granted, CherryBlos will perform the following two tasks: 1. Read pictures from the external storage and use OCR to extract text from these pictures [and] 2. Upload the OCR results to the C&C server at regular intervals,” the researchers wrote.
Most apps related to banking and finance use a setting that prevents the taking of screenshots during sensitive transactions. CherryBlos appears to bypass such restrictions by obtaining accessibility permissions used by people with vision impairments or other types of disabilities.
Searches for previous instances of malware that uses OCR came up empty, suggesting the practice isn’t common. Trend Micro representatives didn’t respond to an email asking if there are other examples.
here.
The research is only the latest to illustrate the threat of malicious apps. There’s no silver bullet for avoiding these threats, but a few smart practices can go a long way toward that goal. Among them:
- Don’t download apps from third-party sites and sideload them unless you know what you’re doing and trust the party controlling the site.
- Read reviews of apps before installing them. Be especially careful to look for reviews that claim the apps are malicious.
- Carefully review permissions required by the app, with a particular eye for apps that seek accessibility permissions.
“The threat actor behind these campaigns employed advanced techniques to evade detection, such as software packing, obfuscation, and abusing Android’s Accessibility Service,” the researchers wrote. “These campaigns have targeted a global audience and continue to pose a significant risk to users, as evidenced by the ongoing presence of malicious apps on Google Play.”
