Posted on July 31, 2023 at 7:47 PM

New CherryBlos Malware On Android Devices Uses OCR To Steal User Data

Cybersecurity researchers have detected malware that uses optical character recognition to steal data from Android users. The malware in question is known as CherryBlos, and it was located within at least four apps running on Android apps.

Researchers detect rare malware stealing Android data

The malware was highlighted in a report by Trend Micro, which said that it was embedded within at least four Android applications. These applications existed outside the Google Play Store, especially on the sites that promote money-making fraudulent schemes.

Ars Technical published a blog post detailing this malware. The researchers said that the malware contained a rare and possibly new attribute that allowed it to use mnemonic passphrases to access accounts.

Authentic apps that display passphrases on their phones are the target of this malware, as it will capture an image of the screen. The malware will later use optical character recognition (OCR) to translate the captured image into text before this data is later used to gain access to user accounts.

The researchers said that after the CherryBlos malware has been granted access, it will complete two functions. The first function will read pictures from the external storage and later use OCR to obtain text from the pictures. The OCR results will then be uploaded to the C&C [command and control] server at regular intervals.

The report by Ars Technical noted that this malware is also able to bypass some restrictions placed by apps that handle sensitive information. For instance, the majority of banking and financial applications have a feature that prevents screenshots while sensitive transactions are underway.

The CherryBlos malware appears capable of bypassing these restrictions through the accessibility permissions used for people that have an issue with their vision or other types of disabilities that give them access to a broader viewer of their devices. Bypassing these restrictions ensures that the malware can capture sensitive data that can later be used to gain entry to bank accounts or sensitive platforms.

The researchers said that “Like most modern banking trojans, CherryBlos requires accessibility permissions to work. When the user opens the app, it will display a popup dialogue window prompting users to enable accessibility permissions. An official website will also be displayed via WebView to avoid suspicion from the victim.”

Ars Technica also said that the hackers behind these campaigns used advanced techniques to avoid detection, including software packing, obfuscating any malicious activity, and exploiting the Android Accessibility Service. The campaigns also focused on a vast global audience and posed a major risk to users. 

However, it is not the first time that malware has been reported on the Google Play Store. The Android app marketplace has often been found to contain malicious apps that avoid detection while stealing sensitive information from the users of Android devices. 

US regulators outline new rules on cybersecurity incidents

The growing risk posed by hacking campaigns on data privacy has raised concerns from regulators such as the US Securities and Exchange Commission (SEC). The SEC has adopted new guidelines that require companies operating in the public and foreign private sectors to reveal cybersecurity incidents.

The SEC requires these companies to also share more details about risk management, strategy, and governance on an annual basis. The chair of the SEC, Gary Gensler, noted that losing millions of files in a hacking attack posed the same risk to investors as a factory shutting down. The SEC chair also stressed that the cybersecurity disclosures needed to be made in a more consistent and decision-useful manner.

Amid the growing risk of hacking attacks being conducted on mobile devices, consumers are now advocating for additional security measures on their devices to safeguard their identities and prevent the loss of private information.

A recent report named “Consumer Authentication Preferences for Online Banking and Transactions” detected that smartphones were the ideal choice for handling financial transactions on online platforms. The research said that 7 out of 10 consumers used smartphones more often compared to other devices when it came to making and receiving payments.

It also noted that 38% of consumers wanted their banks to have robust security measures whenever a new device is used to access bank accounts. On the other hand, 37% of consumers said that they needed more security measures to handle online transactions involving huge amounts.

Consumers are also advocating for better security guidelines when conducting their first online transaction with a new retailer. Additional measures have also been called for whenever a customer is changing their banking information to reduce the risk of impersonation.