CherryBlos and FakeTrade Android Malware Target Users for Cryptocurrency Theft and Financial Scams

Trend Micro’s MARS team has recently discovered two new malware families [3], CherryBlos and FakeTrade [1] [4] [5], on Google Play [1] [2] [4] [5]. These Android malware campaigns specifically target users for cryptocurrency theft and financial scams.


CherryBlos and FakeTrade are long-standing Android malware campaigns that distribute malware through various channels, including fake Android apps on Google Play [1] [4], social media platforms [1] [3] [4], and phishing sites [1] [4]. CherryBlos uses social media platforms to distribute fake posts and entice users to download malicious Android apps. Once installed [2], CherryBlos gains accessibility permissions and overlays fake screens on legitimate crypto wallet apps, allowing it to steal credentials and make fraudulent transfers [2]. It also acts as a clipper [2], substituting wallet addresses when a victim copies a string matching a predefined format [2]. Additionally, CherryBlos employs optical character recognition (OCR) techniques to extract sensitive data from images stored on the device, including mnemonic phrases [1] [4]. This malware is connected to another campaign called FakeTrade, which involves scam money-earning apps on the Google Play Store [2]. These apps promise increased income but prevent users from withdrawing funds [2]. Both CherryBlos and FakeTrade are believed to be operated by the same threat actor, as they share the same network infrastructure and application certificates [1]. The campaigns have been active for years and have targeted users globally [4], with the apps being uploaded to various Google Play regions such as Malaysia, Vietnam [1], Philippines [1], Indonesia [1], Uganda [1], and Mexico [1]. Google has taken action by removing the malicious apps from Google Play, but the malware remains a significant threat to Android users [4]. It is worth noting that Trend Micro discovered an app developed by the CherryBlos threat actors on the Google Play Store [2], but it has since been removed [4]. CherryBlos uses techniques like software packing [4], obfuscation [4], and abusing Android’s Accessibility Service to evade detection [4]. It steals cryptocurrency wallet credentials and replaces victims’ wallet addresses during withdrawals [3] [4]. FakeTrade apps were available on Google Play in 2021 and the first three quarters of 2022 [4], but have since been removed [4]. Both campaigns have used social media platforms like Telegram [4], TikTok [4], and X (formerly Twitter) to promote their fake apps [4]. The report does not provide any additional information about the source country [5], target country [5], or the bad actors behind these malware campaigns [5].


The discovery of CherryBlos and FakeTrade on Google Play highlights the ongoing threat of Android malware campaigns targeting cryptocurrency theft and financial scams. While Google has taken action to remove the malicious apps, the malware remains a significant risk to Android users [4]. It is crucial for users to remain vigilant and take precautions to protect their devices and sensitive information. The use of social media platforms to distribute fake apps further emphasizes the need for users to exercise caution when downloading applications. Continued efforts to detect and mitigate these types of malware campaigns are essential to safeguarding users’ financial security in the future.