Jul 31, 2023 12:00:00

Malware that steals passwords from images and photos with OCR function is found on Android

As a security measure, some people save the screen with the password displayed as an image because it is difficult to remember when using a long password. From such images, it was reported that malware was found that converts passwords into text data and steals authentication information.

Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns

https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html

New Android malware uses OCR to steal credentials from images

https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ocr-to-steal-credentials-from-images/

On July 28, 2023, security company Trend Micro announced that it had confirmed two malware families named 'CherryBlos' and 'FakeTrade' on Google Play. Of these, “CherryBlos” was first discovered in April and was distributed through

APK files advertised on Telegram, X (formerly Twitter), and YouTube.

The APK files are disguised as AI tools and cryptocurrency mining tools with names such as 'GPTalk', 'Happy Miner', 'Robot999', and 'SynthNet'. It was said that it was.

The main method of 'CherryBlos' is to steal virtual currency using a fake UI that mimics the official mining application, but as an alternative method, it also has an OCR function that extracts text from images and photos stored on the device. I had

According to BleepingComputer, an IT news site that reported on this issue, users may be shown a recovery phrase or password when opening a new virtual currency wallet. Taking screenshots is not recommended because anyone can access the wallet with this recovery phrase, but BleepingComputer says that many people save it as an image on a PC or smartphone.

'CherryBlos' also has the ability to hijack the clipboard, automatically rewriting the address of the recipient of the cryptocurrency transaction to the address of the threat actor, while hiding the original address from the user. I also showed a clever behavior of displaying .

Another piece of malware found this time, 'FakeTrade', is a collective term for 31 malicious apps uploaded to Google Play, mostly in 2021 and 2022, to trick users with shopping and money-making claims. , showed ads, signed up for subscriptions, and funded wallets in exchange for fake cryptocurrency.

Some of the fake apps were downloaded 10,000 times before being deleted. All were deleted at the time of writing, but Trend Micro points out that ``threat actors may be planning future campaigns using similar attack techniques.''

One of the two malware families was through distributed APK files, so-called stray apps, and the other was distributed on Google Play but received many complaints about the inability to cash out cryptocurrencies. For this reason, Trend Micro has taken a protective measure to reduce the risk: ``Only download apps from trusted sources and reputable developers. Check app ratings and reviews before installing. Beware of apps with many negative reviews and reports of fraud.'