The first is CherryBlos and it is being spread through promotion on social media, directing users to phishing websites that make them download malicious apps. It is capable of stealing crypto credentials and changing the address that’s used during the withdrawal process.
The malware uses a commercial packer with advanced protection capabilities called Jiagubao to avoid being detected. It prompts users to grant accessibility permissions and follows anti-kill techniques such as ignoring battery optimization. It also sends the user back to the home screen when they enter the app’s settings, presumably to avoid being uninstalled.
Label | Phishing domain |
---|---|
GPTalk | chatgptc[.]io |
Happy Miner | happyminer[.]com |
Robot 999 | robot999[.]net |
SynthNet | synthnet[.]ai |
The mode of attack is that a fake interface is displayed when a user launches an official app in order to steal credentials. The withdrawn amount is sent to the attacker-controlled address. The malware uses OCR to identify potential mnemonic phrases. An app called Synthnet made by the same developer was found on Google Play, but it didn’t have the malware.
The other apps are a part of the FakeTrade campaign and they bait victims into downloading supposed money-earning apps that claim to increase income through referrals and top-ups but prevent users from withdrawing their money when they try to do so.
Victims are unable to withdraw money after topping up their accounts
CherryBlos has been found to have a connection to these apps and they were available in different Google Play regions such as Indonesia, Malaysia, Mexico, Philippines, Uganda, and Vietnam but have now been deleted. Here are their names:
- AMA
- BBShop
- Canyon
- Domo
- Envoy
- Fair
- FIRETOSS
- Gobuy
- GoDo
- Goshop
- Huge
- Koofire
- Leefire
- Moshop
- NtBuy
- Onefire
- Papaya
- Saya
- Smartz
- Upwork
- WebFx
- Youtech
If you made the mistake of downloading any of these apps on your phone, delete them immediately. In the future, only download apps from trusted places and sources and also check out the reviews to ensure there are no red flags.