Using OCR, new Android spyware steals login information from photos.(2ndAugust 2023)

Ref# AL2023_60 | Date: Aug 2nd 2023


On Google Play, two new Android malware families called “CherryBlos” and “FakeTrade” were identified, with the intent of stealing cryptocurrency credentials and funds or conducting frauds. Malicious apps are distributed through a variety of means, including social media, phishing websites, and deceptive shopping apps on Google Play, Android”s official app store.


CherryBlos campaign:

CherryBlos is a bitcoin stealer that utilizes accessibility service permissions to request two configuration files from its C2 server, authorize more rights automatically, and prevent the user from terminating the trojanized app.  CherryBlos employs a variety of methods to steal bitcoin passwords and assets, the most common of which is to load phony user interfaces that look like real programs in order to phish for credentials. However, a more fascinating feature that employs OCR (optical character recognition) to extract text from photographs and photos stored on the device can be enabled.

The malware also functions as a clipboard hijacker for the Binance app, instantly replacing a crypto recipient”s address with one controlled by the attacker while the original address appears intact to the user. This practice enables threat actors to divert payments given to users to their own wallets, thereby stealing the amounts transferred.

FakeTrade campaign:

This links to a Google Play campaign where 31 fraudulent applications collectively known as “FakeTrade” were utilizing the identical C2 network infrastructures and certificates as the CherryBlos applications. These apps entice users with tempting shopping themes or money-making lures to view advertisements, accept premium subscriptions, or top off their in-app wallets without ever letting them withdraw their virtual winnings.


According to Google, the allegedly malicious apps have been taken down from Google Play.

As stated by Google, “We take security and privacy claims against apps seriously, and if we find that an app has broken our rules, we take appropriate action. “Nevertheless, because so many people have already downloaded them, manual cleanups may be necessary on infected devices.

Researching software by reading the terms and user/expert evaluations, confirming the essential rights, and confirming the legitimacy of the creator is strongly advised. Additionally, only approved and reliable sites may be used for downloading.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Using OCR, new Android spyware steals login information from photos.pdf