Thursday, May 8, 2025
HomeCyber Security NewsNew Android Malware Uses Optical Character Recognition to Steal Login Credentials

New Android Malware Uses Optical Character Recognition to Steal Login Credentials

Published on

SIEM as a Service

Follow Us on Google News

A new Android malware strain uses OCR (Optical Character Recognition) techniques to extract sensitive data from pictures.

This new Android malware strain is dubbed “CherryBlos,” and along with this malware strain, another malware was also discovered that is dubbed “FakeTrade.”

Cybersecurity researchers at Trend Micro discovered the new malware strains with shared network infrastructure and certificates, hinting at the involvement of identical threat actors.

- Advertisement - Google News

Apart from this, these malicious apps employ multiple channels for distribution, and here below we have mentioned them:-

Android Malware Use OCR

In April 2023, CherryBlos malware emerged as an APK file that was found to be promoted on Telegram, Twitter, and YouTube as:-

All the malicious APK files were downloaded from domain-matching websites. Here below, we have mentioned the malicious APK file names and matching domains:-

APK files:

  • GPTalk
  • Happy Miner
  • Robot999
  • SynthNet

Matching domain names:

  • chatgptc[.]io
  • happyminer[.]com
  • robot999[.]net
  • synthnet[.]ai

Moreover, the SynthNet app, a malicious version, was downloaded around 1,000 times on Google Play before being reported and removed.

Synthnet App (Source – Trend Micro)

CherryBlos malware targets crypto wallet credentials and alters withdrawal addresses since it’s mainly designed to steal cryptocurrency wallet-related information.

The CherryBlos exploits accessibility service permissions to:-

  • Fetch config files
  • Auto-approve permissions
  • Block app termination

Besides stealing cryptocurrency-related data, CherryBlos also has an extraordinary feature that enables OCR for text extraction from images on the device.

Code to perform OCR on images (Source – Trend Micro)

When EnableImage is true in the config, CherryBlos reads media files, applying OCR for potential mnemonic recognition.

Despite the risk, people save recovery phrase photos on devices, enable malware extracts, and send data to threat actors.

Moreover, the malware also hijacks the Binance app clipboard, then alters the recipient address with the attacker’s, as this enables attackers to initiate illicit fund transfers stealthily.

Recommendations

Here below, we have mentioned all the recommendations offered by the security researchers at Trend Micro:-

  • Always download apps from the Google Play store and official app stores that are trusted. 
  • Make sure to keep your system, software, and AV tools updated with the available security patches and updates.
  • To block threats like these and other malware strains, make sure to install a robust and renowned AV solution.
  • Before allowing any permissions to apps, make sure to cross-check each permissions carefully.
  • Do not download any unknown attachments received via email.
  • Suspicious links could be dangerous, so, do not click on any suspicious links.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

ESET Reveals How to Spot Fake Calls Demanding Payment for ‘Missed Jury Duty’

ESET, a leading cybersecurity firm, has shed light on one particularly insidious scheme: fake...

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering"...

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco...

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

ESET Reveals How to Spot Fake Calls Demanding Payment for ‘Missed Jury Duty’

ESET, a leading cybersecurity firm, has shed light on one particularly insidious scheme: fake...

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering"...

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco...