The two apps share the same app certificate and have been uploaded to Google Play. Pivoting from the C&C server 008c.hugeversapicom, we discovered two additional apps, Huge and Saya, that communicated with huapi.hugeversapicom and sy.hugeversapicom respectively. We have high confidence in attributing the campaigns to the same perpetrator due to shared network infrastructure and app certificates.įrom the language used by these samples, we determined that the threat actor doesn’t have a specific targeted region, but targets victims across the globe, replacing resource strings and uploading these apps to different Google Play regions (such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico). We also discovered that CherryBlos had connections to another similar campaign on Google Play. Thumbprint: 78f5d0d751a5b3f7756317834b9fcb4227cb7fe3 Connection to another ongoing money-earning scam campaign in Google Play However, we still believe that the app on Google Play was developed by the same threat actor, as it shares the same app certificate with the CherryBlos one. Upon further analysis, we found that it is a version of the app (3.1.17) without the CherryBlos malware embedded in it. This app shares the same package name and label as the CherryBlos one, and its privacy policy listed in the developer contact details also points to the phishing website. The C&C address is stored as a resource string, with the communication occurring over HTTPS. An official website will also be displayed via WebView to avoid suspicion from the victim.Īfter gaining accessibility permissions, CherryBlos will request two configuration files from its C&C server. When the user opens the app, it will display a popup dialogue window prompting users to enable accessibility permissions. Like most modern banking trojans, CherryBlos requires accessibility permissions to work. Impersonation technique and command-and-control (C&C) communication These facts suggest that the group behind CherryBlos uses a non-free version of the packer due to its advanced protection capabilities, increased evasion capabilities, and other powerful features. We believe that this is a built-in feature of the packer instead of being implemented by the malware developer. For CherryBlos, most strings are encrypted, with the decryption process being handled by the packer’s native library. It is rare to see malware packed by Jiagubao using the packer’s built-in string encryption.In this case, the name is likely defined by the threat actor, specifically libjiagu_sdk_cherryBlos_gProtected.so. The packer’s native library name is not the default name libjiagu.so.Our analysis found that the malware had two unusual aspects: To evade static detection, CherryBlos is packed using a commercial packer known as Jiagubao. This group’s profile directly points to the phishing website which the malware was downloaded.Īs stated previously, the CherryBlos malware was designed to steal cryptocurrency wallet-related credentials and replace addresses used during the withdrawal process. The first CherryBlos malware, labeled Robot 999, initially appeared in April 2023 and was downloaded from the URL hxxps://Upon further investigation, we were able to trace its source to a telegram group called Ukraine ROBOT that had been posting messages related to cryptocurrency mining since early 2023. Fake social media posts distribute CherryBlos However, users will be unable withdraw their funds when they attempt to do so. These apps claim to be e-commence platforms that promise increased income for users via referrals and top-ups. Meanwhile, another campaign that employed several fraudulent money-earning apps - first uploaded to Google Play in 2021 - involved the FakeTrade (AndroidOS_FakeTrade.HRXB) malware. The downloaded malware CherryBlos (AndroidOS_CherryBlos.GCL), named because of the unique string used in its hijacking framework, can steal cryptocurrency wallet-related credentials, and replace victims’ addresses while they make withdrawals. The first campaign leveraged popular social networking platforms to promote fraudulent services, with the advertisements pointing to phishing websites that trick users into downloading and installing malicious Android apps. Trend Micro’s Mobile Application Reputation Service (MARS) team discovered two new related Android malware families involved in cryptocurrency-mining and financially-motivated scam campaigns targeting Android users.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |