New Android malware can steal passwords and other data from images — how to stay safe

Android malware on phone
(Image credit: Shutterstock)

Cybercriminals continue to come up with clever new tactics to steal your passwords and drain your banking and other financial accounts using Android malware.

As reported by BleepingComputer, two new Android malware families named CherryBlos and FakeTrade have been discovered on the Google Play Store by the cybersecurity firm Trend Micro. However, it’s worth noting that these malicious apps aren’t exclusive to the Play Store as they’re also being distributed on social media and via phishing sites as installable APK files.

According to a blog post, Trend Micro first observed the CherryBlos malware being distributed as an APK beginning in April of this year. The malware was promoted on Telegram, Twitter and YouTube as an AI-powered cryptocurrency mining app called SynthNet. The SynthNet app was also distributed via the Play Store but fortunately, it was only downloaded a few thousand times before it was removed by Google. 

As for FakeTrade, Trend Micro’s security researchers managed to find a connection between the two malware strains as the hackers behind it were using the same command and control (C&C) network infrastructure and certificates as the malicious apps infecting unsuspecting users with the CherryBlos malware.

Leveraging OCR to steal passwords

A shadowy hand reaches for the word 'PASSWORD' displayed on a computer screen.

(Image credit: Shutterstock)

While malicious apps stealing passwords to drain banking and crypto accounts are nothing new, CherryBlos does have an interesting trick up its sleeve we’ve yet to see with any other Android malware.

CherryBlos employs a number of different tactics to steal passwords and crypto, though the main one it uses is fake overlays. These overlays appear on top of legitimate banking and crypto apps and are used by the hackers behind this campaign to steal victims’ usernames and passwords.

In addition to this, the CherryBlos malware uses optical character recognition (OCR) to steal passwords. If OCR sounds familiar, that’s because it’s a feature found in many of the best PDF editors as it allows them to extract text from images and photos. 

In this case though, the hackers behind this campaign are using OCR to extract passwords from screenshots stored on victims’ smartphones. While you should never take screenshots of your passwords, many people still do this despite the risk, especially with the recovery phrases for their cryptocurrency accounts. Once these passwords have been extracted from photos, all of this data is then sent back to the hackers.

FakeTrade connection

Besides shedding light on the CherryBlos malware, Trend Micro has also provided insights on another campaign, which uses 31 scam apps to distribute the FakeTrade malware.

These scam apps use shopping themes or money-making lures in order to trick users into watching ads, signing up for premium subscriptions or to top off their in-app wallets. However, they are never actually allowed to cash out their virtual rewards.

According to Google, all of these scam apps have now been removed from the Play Store while others were distributed as APK files that needed to be sideloaded. However, if you have any installed on one of the best Android phones, you’re going to need to remove them manually. Here’s the list of all of the 31 scam apps distributing the FakeTrade malware:

  • Ama
  • BBShop
  • Canyon
  • Compass
  • Domo
  • Envoy
  • Fiar
  • Gobuy
  • Godo
  • Goshop
  • Huge
  • Koofire
  • Leefire
  • Moshop
  • NTBuy
  • OneFire
  • Papaya
  • Pudding
  • Saya
  • Sengre
  • Smartz
  • Tango
  • Timeshop
  • Tinuiti
  • Upwork 
  • WebFX
  • Youtech

It’s worth noting that a few of these malicious apps like Upwork and WebFX are impersonating actual businesses. To be on the safe side though, you should remove all of them from your smartphone right now.

How to protect your passwords and stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

Instead of writing your passwords down on paper or taking screenshots of them, using one of the best password managers lets you securely store them all in one place. At the same time, you don’t have to remember them all and can just remember the master password to your password manager instead.

As for Android malware, installing one of the best Android antivirus apps on your smartphone can help keep you safe as they scan both your existing apps and any new ones you download for viruses. Google Play Protect, which comes pre-installed on most Android phones, does the exact same thing but you often get some nice extras with paid Android antivirus apps like a VPN or even a password manager.

Now that we’ve seen the CherryBlos malware utilize OCR to steal passwords from infected phones, I wouldn’t be surprised if other hackers added this same functionality to their own malware in the future. This is why you shouldn’t screenshot anything you don’t want to end up in the hands of hackers.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.