A new malware has been spotted that uses a unique technique to be able to steal the user's credentials through optical character recognition. This means that the malware is able to "see" what characters the user is typing in order for it to get passwords, logins, and access.
Malware Spotted Using a Unique Technique to Steal Information from Users and Get Access to Certain Apps
According to Ars Technica, the malware was discovered by Trend Micro, a security firm, and was called the CherryBlos. So far, it was spotted to have been embedded on at least four Android apps that were reportedly available outside of Google Play.
The malware was found on certain sites that were promoting money-making scams. However, it was noted that one of the apps was available on Google Play for close to a month but didn't actually include the malicious CherryBlos.
It was noted that the researchers were able to discover suspicious apps on Google Play that were actually created by the same developer. However, they seemed to have not the same malicious payload.
List of Malicious Apps Released with Researchers Discovering How the Malware Hid Its Functionality
Trend Micro released a list of the malicious apps and noted that it took a lot of effort for them to be able to conceal the malicious functionality. The developers reportedly used a paid version of Jiagubao, a commercial software, to be able to encrypt the code and code strings in order to make it harder for analysis to detect the functionality.
The developers reportedly also featured techniques to be able to ensure that the app would remain active on the user's phone despite it being installed. Whenever users open the legitimate app for crypto services like Binance, CherryBlos would then overlay the windows and simply mimic the legitimate apps.
How the CherryBlos Malware Functions Upon Withdrawal Including Encrypting Wallet Address
Upon withdrawal, CherryBlos would then encrypt wallet addresses, resulting in the victim sending the funds to another address that the attacker controls. What makes the malware more interesting is its rarity and the fact that it wasn't novel, allowing them to capture mnemonic passphrases to gain account access.
When passphrases are being displayed on the screen by these legitimate apps, the malware would then take an image of the screen, use an OCR to be able to translate the image into text, and then use the information to raid the user's account.
Read Also : Apple's iOS 17 Update Targets App Fingerprinting, Developers Must Justify Data Collection
The CherryBlos Bypasses Restrictions by Using Disability Accessibility Permissions
The researcher noted that most apps that relate to banking and finance often use a setting that would prevent any screenshots to be taken whenever users are processing sensitive transactions. However, the CherryBlos seems to be capable of bypassing these restrictions.
The CherryBlos reportedly bypasses this through obtaining accessibility permissions that is being used by people that have visual impairments or other disability types. Upon investigation for previous instances of the malware that utilizes OCR, the results came back empty, suggesting that this might not be a common practice.