New Android Trojan Uses OCR To Extract Login Credentials

Two nasty Android Trojans were up to mischief in the Google Play Store: hidden in various apps, the Android malware collected login data by searching photos using OCR software and thus stole the data.

Security researchers uncovered the scam

Two groups of Trojans, named “CherryBlos” and “FakeTrade”, were discovered by Trend Micro’s Mobile Application Reputation Service (MARS) team. These two related Android malware families target crypto mining and other financially motivated scam campaigns.

Android users were specifically targeted and the apps that brought the Trojans were advertised on social networks and forums. It is said to have often been about shopping apps.

According to Google, the reported malware apps have been removed from the Google Play Store. It is said to have been more than 30 manipulated apps.

Google deletes apps

“We take claims about app security and privacy very seriously, and when we find that an app violates our policies, we take appropriate action,” Google told online magazine BleepingComputer.

Lockmit OFF

The CherryBlos malware was distributed in the form of an APK file (Android package) via Telegram, Twitter, and YouTube back in April 2023 under the guise of AI tools and coin miners.

A malicious app was uploaded through the Google Play Store, where it was quickly downloaded thousands of times before being reported and removed. According to Trend Micro, the only goal of the Trojans was to steal login credentials – primarily for crypto wallets.

Therefore, high financial damage could have occurred. However, as is so often the case with such fraud campaigns, there are no reliable findings. Both malware strains appear to use the same network infrastructure and certificates, suggesting that they were developed by the same threat actors.

Leave a Reply