Android malware steals user credentials using optical character recognition

OCR isn't the only advanced technique used by "CherryBlos" apps.

Android malware steals user credentials using optical character recognition
Getty Images

Security researchers have unearthed a rare malware find: malicious Android apps that use optical character recognition to steal credentials displayed on phone screens.

The malware, dubbed CherryBlos by researchers from security firm Trend Micro, has been embedded into at least four Android apps available outside of Google Play, specifically on sites promoting money-making scams. One of the apps was available for close to a month on Google Play but didn’t contain the malicious CherryBlos payload. The researchers also discovered suspicious apps on Google Play that were created by the same developers, but they also didn’t contain the payload.

Advanced techniques

The apps took great care to conceal their malicious functionality. They used a paid version of commercial software known as Jiagubao to encrypt code and code strings to prevent analysis that can detect such functionality. They also featured techniques to ensure the app remained active on phones that had installed it. When users opened legitimate apps for Binance and other cryptocurrency services, CherryBlos overlaid windows that mimicked those of the legitimate apps. During withdrawals, CherryBlos replaced the wallet address the victim selected to receive the funds with an address controlled by the attacker.

The most interesting aspect of the malware is its rare, if not novel, feature that allows it to capture mnemonic passphrases used to gain access to an account. When the legitimate apps display passphrases on phone screens, the malware first takes an image of the screen and then uses OCR to translate the image into a text format that can be used to raid the account.

“Once granted, CherryBlos will perform the following two tasks: 1. Read pictures from the external storage and use OCR to extract text from these pictures [and] 2. Upload the OCR results to the C&C server at regular intervals,” the researchers wrote.

Most apps related to banking and finance use a setting that prevents the taking of screenshots during sensitive transactions. CherryBlos appears to bypass such restrictions by obtaining accessibility permissions used by people with vision impairments or other types of disabilities.

Searches for previous instances of malware that uses OCR came up empty, suggesting the practice isn’t common. Trend Micro representatives didn’t respond to an email asking if there are other examples.

CherryBlos was embedded into the following apps available from these websites:

Label Package name Phishing domain
GPTalk com.gptalk.wallet chatgptc[.]io
Happy Miner happyminer[.]com
Robot 999 com.example.walljsdemo robot999[.]net
SynthNet com.miner.synthnet synthnet[.]ai

“Like most modern banking trojans, CherryBlos requires accessibility permissions to work,” the researchers wrote. “When the user opens the app, it will display a popup dialogue window prompting users to enable accessibility permissions. An official website will also be displayed via WebView to avoid suspicion from the victim.”

Once the malicious app obtains the permissions, it uses them not only to capture images of sensitive information displayed on screens, but also to perform other nefarious activities. They include defense evasion techniques such as (1) automatically approving permission requests by auto-clicking the “allow” button when a system dialogue appears and (2) returning users to the home screen when they enter the app settings, possibly as an anti-uninstall or anti-kill contingency.

The malicious apps also use accessibility permissions to monitor when a legitimate wallet app launches. When detected, it then uses them to launch predefined fake activities. The goal is to induce victims to fill in their credentials.

The researchers found dozens of additional apps, most of which were hosted on Google Play, that used the same digital certificate or attacker infrastructure as the four CherryBlos apps. While the 31 apps didn’t contain the malicious payload, the researchers flagged them nonetheless.

“Although these apps appear to have complete functionality on the surface, we still found them exhibiting some abnormal behavior,” they wrote. “Specifically, all the apps are highly similar, with the only difference being the language applied to the user interface since they are derived from the same app template. We also found that the description of the apps on Google Play are also the same.”

The researchers said that Google has removed all such apps that were available on Play. A list of those apps is available here.

The research is only the latest to illustrate the threat of malicious apps. There’s no silver bullet for avoiding these threats, but a few smart practices can go a long way toward that goal. Among them:

  • Don’t download apps from third-party sites and sideload them unless you know what you’re doing and trust the party controlling the site.
  • Read reviews of apps before installing them. Be especially careful to look for reviews that claim the apps are malicious.
  • Carefully review permissions required by the app, with a particular eye for apps that seek accessibility permissions.

“The threat actor behind these campaigns employed advanced techniques to evade detection, such as software packing, obfuscation, and abusing Android’s Accessibility Service,” the researchers wrote. “These campaigns have targeted a global audience and continue to pose a significant risk to users, as evidenced by the ongoing presence of malicious apps on Google Play.”

Reader Comments (28)

View comments on forum

Loading comments...

Channel Ars Technica