Keypoints
- Threat actors distributed malicious APKs through fake social-media posts and phishing sites, and uploaded related apps to Google Play.
- CherryBlos is packed with the Jiagubao commercial packer with extensive string encryption to evade static detection.
- The malware requests Accessibility permissions and uses Accessibility Service to launch fake wallet UIs, capture credentials, and overlay/modify withdrawal addresses in apps like Binance.
- CherryBlos retrieves configuration files from a C2 server over HTTPS and exfiltrates stolen data (including mnemonics) back to C2.
- Persistence and anti-kill measures include a 1×1 pixel view, foreground service notifications, ignoring battery optimizations, auto-accepting permission dialogs, and preventing access to app settings.
- When enabled, CherryBlos reads images from external storage and runs OCR to find mnemonic phrases, then uploads OCR results to its C2 at intervals.
- Multiple apps sharing certificates and infrastructure suggest the same actor also published scam “money-earning” apps (FakeTrade) on Google Play to defraud users worldwide.
MITRE Techniques
- [T1566] Phishing – Distribution via social posts and phishing sites: ‘…advertisements pointing to phishing websites that trick users into downloading and installing malicious Android apps.’
- [T1204.002] User Execution: Malicious Link – Users were lured to download APKs from links in posts and Telegram groups: ‘…posting a link to the Robot 999 app containing the CherryBlos malware and uploaded the APK file to the group.’
- [T1027] Obfuscated Files or Information – Use of Jiagubao packer and encrypted strings to evade static analysis: ‘…packed using a commercial packer known as Jiagubao… most strings are encrypted.’
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communication and configuration retrieval over HTTPS: ‘…requests two configuration files from its C&C server. The C&C address is stored as a resource string, with the communication occurring over HTTPS.’
- [T1056] Input Capture – Abuse of Android Accessibility Service to monitor app launches, present fake UI, and capture credentials/mnemonics: ‘…use Accessibility Service to monitor when a wallet app launches… launch predefined fake activities… their credentials will be transmitted to the C&C server.’
- [T1543] Create or Modify System Process (Persistence) – Anti-kill and persistence techniques to keep the app running in foreground and survive termination: ‘…Adding a 1*1 pixel view; Posting a notification for foreground service; Ignoring battery optimization.’
- [T1041] Exfiltration Over C2 Channel – Stolen mnemonic phrases and OCR results uploaded to C2: ‘…HTTP request showing the victim’s mnemonic phrase being transferred to the C&C server’ and ‘Upload the OCR results to the C&C server at regular intervals.’
Indicators of Compromise
- [Phishing domains] distribution pages and fake sites – chatgptc[.]io, happyminer[.]com, robot999[.]net, synthnet[.]ai
- [APK filename / download URL] malicious installer samples – Robot999.apk (hxxps://www.robot999.net/Robot999[.]apk)
- [Package names] apps containing CherryBlos – com.gptalk.wallet, com.app.happyminer, com.example.walljsdemo, com.miner.synthnet
- [C2 / infrastructure domains] command-and-control and API endpoints – 008c[.]hugeversapi[.]com, huapi[.]hugeversapi[.]com, sy[.]hugeversapi[.]com
- [Google Play / app certificate] shared certificates linking apps – Thumbprint: 78f5d0d751a5b3f7756317834b9fcb4227cb7fe3, Thumbprint: f76985062c394463e6a15e40bc2a48c5fb7fd6ba
- [IOC list] consolidated indicators file – update-ioc-related-cherryblos-and-faketrade-android-malware-involved-in-scam-campaigns.txt (referenced in article)
Trend Micro’s analysis shows the actor distributed malicious Android apps through orchestrated social posts and phishing sites that hosted APKs or redirected victims to download pages. The CherryBlos samples were deployed under multiple package names (for example, com.gptalk.wallet, com.app.happyminer, com.example.walljsdemo, com.miner.synthnet) and retrieved configuration from C2 domains such as 008c[.]hugeversapi[.]com; some download links included Robot999.apk (hxxps://www.robot999.net/Robot999[.]apk).
Technically, CherryBlos is packed with the Jiagubao commercial packer and relies on extensive string encryption to hinder static analysis. It requests Accessibility permissions and then uses the Accessibility Service to detect wallet or exchange app launches, start fake activities or overlay views, auto-click permission dialogs, and capture user inputs. When configured, it presents fake wallet UIs to harvest mnemonic phrases, overlays and replaces withdrawal addresses (monitoring UI text like “Withdrawal”, “Confirm”, “Submit” to find relevant elements), and sends captured data and periodic OCR-extracted text from images on external storage to C2 over HTTPS.
For persistence and defense evasion, CherryBlos adds a 1×1 pixel view, registers a foreground service notification, ignores battery optimizations, auto-approves permission dialogs, and blocks access to app settings to hinder uninstall. The same actor also published related consumer-facing “money-earning” apps (FakeTrade family) on Google Play that share app certificates and infrastructure, indicating a coordinated campaign using both malicious APK distribution and deceptive Play Store apps.