The apps took great care to conceal their malicious functionality. They used a paid version of commercial software known as Jiagubao to encrypt code and code strings to prevent analysis that can detect such functionality. They also featured techniques to ensure the app remained active on phones that had installed it. When users opened legitimate apps for Binance and other cryptocurrency services, CherryBlos overlaid windows that mimicked those of the legitimate apps. During withdrawals, CherryBlos replaced the wallet address the victim selected to receive the funds with an address controlled by the attacker.
The most interesting aspect of the malware is its rare, if not novel, feature that allows it to capture mnemonic passphrases used to gain access to an account. When the legitimate apps display passphrases on phone screens, the malware first takes an image of the screen and then uses OCR to translate the image into a text format that can be used to raid the account. “Once granted, CherryBlos will perform the following two tasks: 1. Read pictures from the external storage and use OCR to extract text from these pictures [and] 2. Upload the OCR results to the C&C server at regular intervals,” the researchers wrote.
Most apps related to banking and finance use a setting that prevents the taking of screenshots during sensitive transactions. CherryBlos appears to bypass such restrictions by obtaining accessibility permissions used by people with vision impairments or other types of disabilities.
arstechnica.com
