Cybersecurity researchers from Trend Micro have discovered two malware variants for Android devices, called CheeryBlos and FakeTrade. Both malware families were found to belong to the same threat actor, as they shared the same network infrastructure and certificates. One of these malware variants even made its way to Google Play, the official app repository for Android.
The malicious apps were distributed through various channels, including social media platforms and phishing websites. They were promoted as AI tools or cryptocurrency miners on Telegram, Twitter, and YouTube. Some of the apps had innocent-sounding names like GPTalk, Happy Miner, or Robot999. The researchers urge users to immediately remove these apps from their devices if they have any of them installed.
The goal of the malware was to steal valuable data from compromised devices, including cryptocurrencies stored in mobile app wallets. The malware used different methods to achieve this. One method involved overlaying crypto apps with fake user interfaces to capture users’ credentials. Another method was to hijack the clipboard and replace copied crypto wallet addresses with addresses belonging to the attackers. This way, victims unknowingly sent their money to the attackers.
The malware also utilized optical character recognition (OCR) to scan the photo gallery for relevant images and extract data. While the researchers did not find any specific regional targeting, most victims were located in countries such as Malaysia, Vietnam, Indonesia, the Philippines, Uganda, and Mexico.
To protect themselves from such threats, users are advised to be cautious when downloading apps, especially from unofficial sources, and to keep their devices updated with the latest security patches.
