This dangerous Android malware could steal passwords and other data just by using images

Sead Fadilpašić
·5 min read
Android
Android

Cybersecurity researchers from Trend Micro have uncovered two malware variants built for the Android system, one of which is able to steal information stored on photos and pictures.

In a report published on the company’s website, it was said that CheeryBlos, and FakeTrade, two malware families, were recently discovered, with one even making its way to Google Play, Android’s official app repository.

The researchers that discovered the apps concluded that they both belong to the same threat actor, given that they use the same network infrastructure and the same certificates. These malware variants were hiding in different apps, including an app called SynthNet that was uploaded to Google Play. According to a BleepingComputer report, it had some 1,000 downloads before being removed from the store.

But this isn’t the only way the apps were distributed. The threat actors used common distribution tactics, such as social media channels, or phishing websites. They would promote the apps on Telegram, Twitter, or YouTube, presenting them as AI tools or cryptocurrency miners. Some of the apps are called GPTalk, Happy Miner, or Robot999. Suffice to say, if you have any of these installed on your endpoints, remove them immediately.

The goal of the malware was to steal valuable data from the compromised devices, including any cryptocurrencies the users might have sitting in mobile app wallets. One of the ways the malware did that was by overlaying any crypto apps with an invisible (or fake) user interface where the user, should they enter their credentials, would hand them over to the attackers. The other method was by hijacking the clipboard. If a user copies a crypto wallet, the malware will replace it in the clipboard with another address belonging to the attackers. So when the victim pastes the address, unless they double-check it character for character, they’ll end up sending their money to the crooks.

Another method was through optical character recognition or OCR. Most high-end smartphones these days have that feature, which allows the device to “read” the text on a photo or an image. It’s useful when, for example, needing to translate a menu while dining in a foreign country. The crooks used OCR to have the malware scan the photo gallery for any relevant images and pull the data to the C2.

While the crooks don’t seem to target any specific region, the victims mostly reside in Malaysia, Vietnam, Indonesia, the Philippines, Uganda, and Mexico, the researchers concluded.

Analysis: Why does it matter?

Cryptocurrencies, especially Bitcoin and Ether, are still widely popular around the globe, and with the next Bitcoin halving coming up approximately in May next year, many people are already “stacking up” in anticipation of the possible next bull run which could see Bitcoin shoot past $100,000 per coin. This leaves many people, especially new entrants to the market, vulnerable to scams and hacks.

The “problem” with cryptocurrencies is that once a transfer is initiated, it’s impossible to reverse (unless it’s being made from a third-party such as a crypto exchange, which might stop it on time, if alerted to a possible fraud). The second “problem” is in the way most cryptos are secured these days - the majority of crypto wallets come with so-called seed phrases (also called recovery phrases or mnemonic phrases) - a string of 12 or 24 words that can be used to restore a wallet, in case it’s lost or the password is forgotten.

While the designers insist people write these words down on a piece of paper somewhere and store it safely (and not digitally), many people end up taking photos of their seed phrases and storing them on their smartphones or cloud services. If an OCR-enabled piece of malware finds these photos, the crooks can easily take over the wallet and empty it out in seconds.

What have others said about this malware?

In the comments section on ArsTechnica, some users discussed how malware like this would never pass on an Apple device. “Reasons why I'll never leave Apple. I don't need an AV scanner on my phone. I don't need to side-load,” says one of the comments. “For one thing, lack of sideloading makes it effectively impossible to distribute malicious apps. You won’t find crap like this in the AppStore,” says another. “iOS APIs do not even allow the developers to pull off anything like this - Android malware rarely uses vulnerabilities. They pull off this stuff just by using standard APIs. Apple’s approach to iPhone as (somewhat restricted) app platform has been an incredible success for us, the users. The same can be said for gaming consoles: zero malware.”

Others pointed out how it’s still the human factor that makes all the difference: “For this to work, it required accessibility permissions. This is a more involved process than other permissions. I'm trying it with a legitimate app, and the app has to give you instructions about what to do in settings, and then launch the setting app to a screen that's reasonably close,” they said. “You cannot accidentally click through this.”

Finally, those who weren’t interested in the perpetual Apple vs. Android war shifted their attention to the impotence of mobile antivirus programs:

“It sounds like even Google's Play Protect wasn't able to detect the malware in these apps since Trend Micro is the one reporting it,” says one user. “First submitted on VirusTotal on 2023-06-20 at 16:09:16 UTC, which means over a month has passed and the bad app is still not detected by the vast majority of AVs,” says another.

Go deeper

If you want to learn more about Android malware and how to stay safe, make sure to read our guide for the best Android antivirus apps, and best Android phones in general. Also, read our guide on best firewalls, and best ID theft protection around.