What’s the deal with CherryBlos?
CherryBlos is a rather interesting family of Android malware that can plunder your cryptocurrency accounts – with a little help from your photos.
Wait. I’ve heard of hackers stealing photos before, but what do you mean by malware stealing cryptocurrency via my photos? How does it do that?
Well, imagine you have sensitive information – such as details related to your cryptocurrency wallet – in your Android phone’s photo gallery.
Hang on. Why would I have photos related to my cryptocurrency wallet stored on my smartphone?
Good question! It doesn’t sound entirely sensible, does it? Much better to store sensitive information securely in a secure password manager’s vault, but I guess it takes all sorts…
Anyway, the point is that if you might be storing storing sensitive information in your digital photo album. For instance, owners of cryptocurrency wallets might take screenshots of their wallet’s account recovery phrases – crucial information if you ever lose access to a wallet if a password, for instance, is forgotten.
Whatever the sensitive information, the CherryBlos malware can lift it out of the pictures using optical character recognition (OCR).
Fair enough. So, how do criminals go about spreading CherryBlos?
The researchers at Trend Micro say they have seen malicious Android apps that contain the CherryBlos malware.
Which apps?
Well, the cybercriminals behind CherryBlos appear to have disguised the malware as a cryptocurrency-mining app called SynthNet. In fact, they even succeeded in getting a version of the SynthNet app admitted into the Google Play store.
Other disguises have included apps called GPTalk, Happy Miner, and Robot 999.
The apps are then promoted on Telgram and TikTok to unsuspecting cryptocurrency investors.
Of course, in future attacks they could always use other disguises to camouflage their intentions – and even if they struggle to get a poisoned app into the Google Play store again, they could use social engineering to trick unwary Android users into downloading it from third-party sites.
What else can CherryBlos do?
Aside from grabbing sensitive wallet credentials, CherryBlos can also overlay fake user interfaces over legitimate cryptocurrency apps. In this way it can disguise that, for instance, a cryptocurrency withdrawal is going into an account under the hackers’ control rather than one owned by the victim.
I have to ask. Why is it called CherryBlos?
Trend Micro’s researchers say it is named after a unique string that they found in its hijacking framework.
Oh. I was hoping for something rather more poetic, perhaps related to the cherry blossoms that bloom in Japan each year.
Sorry.
Is there any way that organisations can have better control over what their users install on their Android phones?
It sounds like you’re interested in a mobile device management solution. There are a number of solutions out there that enable IT teams to control and enforce policies on smartphones.
And if I’m not a company? If I’m just a single user who wants to avoid installing malicious apps?
As well as considering running anti-virus software, I would recommend avoiding installing apps from untrusted sources. The Google Play app store isn’t perfect, but it does at least attempt to vet what is allowed in.
Avoid cracks and pirated versions of apps, and don’t click on unsolicited links. If something sounds too good to be true, it probably is.
Furthermore, be wary of installing Android apps that don’t have a track record of positive reviews.
Finally, don’t leave photos of your cryptocurrency wallet recovery keys lying around!
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.




