{ "id": "188e82f8-7750-466b-8b17-43ad0c9fcb3e", "created_at": "2026-04-06T00:07:17.26289Z", "updated_at": "2026-04-10T13:12:10.487315Z", "deleted_at": null, "sha1_hash": "a03d754cdd8d88f4c9509e1856b87def2624b67f", "title": "Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3552243, "plain_text": "Related CherryBlos and FakeTrade Android Malware Involved in\r\nScam Campaigns\r\nBy Trend Micro Research ( words)\r\nPublished: 2023-07-28 · Archived: 2026-04-05 22:02:47 UTC\r\nMobile\r\nTrend Micro’s Mobile Application Reputation Service (MARS) team discovered two new related Android\r\nmalware families involved in cryptocurrency-mining and financially-motivated scam campaigns targeting Android\r\nusers.\r\nBy: Trend Micro Research Jul 28, 2023 Read time: 8 min (2105 words)\r\nSave to Folio\r\nTrend Micro’s Mobile Application Reputation Service (MARS) team discovered two new related Android\r\nmalware families involved in cryptocurrency-mining and financially-motivated scam campaigns targeting Android\r\nusers.\r\nThe first campaign leveraged popular social networking platforms to promote fraudulent services, with the\r\nadvertisements pointing to phishing websites that trick users into downloading and installing malicious Android\r\napps. The downloaded malware CherryBlos (AndroidOS_CherryBlos.GCL), named because of the unique string\r\nused in its hijacking framework, can steal cryptocurrency wallet-related credentials, and replace victims’ addresses\r\nwhile they make withdrawals.\r\nMeanwhile, another campaign that employed several fraudulent money-earning apps — first uploaded to Google\r\nPlay in 2021 — involved the FakeTrade (AndroidOS_FakeTrade.HRXB) malware. These apps claim to be e-commence platforms that promise increased income for users via referrals and top-ups. However, users will be\r\nunable withdraw their funds when they attempt to do so.\r\nFake social media posts distribute CherryBlos\r\nThe first CherryBlos malware, labeled Robot 999, initially appeared in April 2023 and was downloaded from the\r\nURL hxxps://www.robot999.net/Robot999[.]apk. Upon further investigation, we were able to trace its source to a\r\ntelegram group called Ukraine ROBOT that had been posting messages related to cryptocurrency mining since\r\nearly 2023. This group’s profile directly points to the phishing website which the malware was downloaded.\r\nIn April 2023, the group owner posted a link to the Robot 999 app containing the CherryBlos malware and\r\nuploaded the APK file to the group.\r\nhttps://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html\r\nPage 1 of 9\n\nSimilar situations also occurred with subsequent CherryBlos samples. As of writing, we have identified four\r\ndifferent apps containing the CherryBlos malware:\r\nLabel Package name Phishing domain\r\nGPTalk com.gptalk.wallet chatgptc[.]io\r\nHappy Miner com.app.happyminer happyminer[.]com\r\nRobot 999 com.example.walljsdemo robot999[.]net\r\nSynthNet com.miner.synthnet synthnet[.]ai\r\nTable 1. Apps containing CherryBlos\r\nFor the GPTalk app, a fake TikTok account was used to post the phishing website.\r\nMeanwhile, the phishing website for the SynthNet app points to a Twitter account and a Telegram channel.\r\nopen on a new tab\r\nFigure 4. The phishing website, synthnet[.]ai, pointing to a Twitter account)\r\nIn addition to these fake posts, we have also found content — likely created by unwitting “promoters”, as shown\r\nin the YouTube video found in Figure 5.\r\nhttps://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html\r\nPage 2 of 9\n\nAnalysis of the CherryBlos malware\r\nAs stated previously, the CherryBlos malware was designed to steal cryptocurrency wallet-related credentials and\r\nreplace addresses used during the withdrawal process.\r\nTo evade static detection, CherryBlos is packed using a commercial packer known as Jiagubao. Our analysis\r\nfound that the malware had two unusual aspects:\r\n1. The packer’s native library name is not the default name libjiagu.so. In this case, the name is likely defined\r\nby the threat actor, specifically libjiagu_sdk_cherryBlos_gProtected.so.\r\n2. It is rare to see malware packed by Jiagubao using the packer’s built-in string encryption. For CherryBlos,\r\nmost strings are encrypted, with the decryption process being handled by the packer’s native library. We\r\nbelieve that this is a built-in feature of the packer instead of being implemented by the malware developer.\r\nThese facts suggest that the group behind CherryBlos uses a non-free version of the packer due to its advanced\r\nprotection capabilities, increased evasion capabilities, and other powerful features.\r\nLike most modern banking trojans, CherryBlos requires accessibility permissions to work. When the user opens\r\nthe app, it will display a popup dialogue window prompting users to enable accessibility permissions. An official\r\nwebsite will also be displayed via WebView to avoid suspicion from the victim.\r\nAfter gaining accessibility permissions, CherryBlos will request two configuration files from its C\u0026C server. The\r\nC\u0026C address is stored as a resource string, with the communication occurring over HTTPS.\r\nopen on a new tab\r\nFigure 6. C\u0026C server address, 008c[.]hugeversapi.com, stored in resource\r\nCherryBlos uses a variety of methods for persistence and evasion, such as the following anti-kill techniques:\r\nAdding a 1*1 pixel view\r\nPosting a notification for foreground service\r\nIgnoring battery optimization\r\nIt also uses the following defense evasion techniques:\r\nAutomatically approving permission requests by auto clicking the “allow” button when a system dialogue\r\nappears\r\nSending user back to the home screen when they enter the app settings, possibly as an anti-uninstall or anti-kill contingency\r\nhttps://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html\r\nPage 3 of 9\n\nopen on a new tab\r\nFigure 9. Sending users back to the home screen when they enter the app settings\r\nCredential and asset theft\r\nCherryBlos uses several approaches to steal credentials or assets from its victim’s cryptocurrency wallets, which\r\nwe will describe in the following subsections.\r\nIf the EnableUIMode field in configuration is set to true, CherryBlos will display the serials of well-designed fake\r\nwallet user interfaces when users launch official apps.\r\nIt checks for installed cryptocurrency wallet apps (the checked wallet apps list is defined in the\r\nDetectionWalletList field in the configuration), then reports matching app package names to the C\u0026C server and\r\nsets a fake launch activity for each matched wallet app.\r\nopen on a new tab\r\nFigure 10. Setting fake activities for each corresponding cryptocurrency wallet app\r\nCherryBlos will use Accessibility Service to monitor when a wallet app launches. Once this is detected, it will then\r\nuse startActivity to launch predefined fake activities, with the goal of inducing victims to fill in their credentials.\r\nFor example, the fake activities shown in Figure 11 will be launched while users open the real BitKeep app. Once\r\nvictims import their mnemonic phrase and click the “confirm” button, their credentials will be transmitted to the\r\nC\u0026C server.\r\nhttps://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html\r\nPage 4 of 9\n\nopen on a new tab\r\nFigure 12. HTTP request showing the victim’s mnemonic phrase being transferred to the C\u0026C\r\nserver\r\nThe field used to store stolen mnemonic is Zjc, which is a first-letter combination of the Chinese translation of\r\n“mnemonic” – “助记词/Zhu-ji-ci”, possibly indicating the threat actor’s language family.\r\nHijacking during transfer\r\nIf the EnableExchange field in configuration is set to true, CherryBlos can modify the real withdrawal address by\r\noverlaying a Fake UI to show the original address while users make withdrawals in the legitimate Binance app.\r\nCherryBlos will monitor three keywords (“Withdrawal”, “Confirm” and “Submit”) in Binance’s UI. Once\r\ndetected, the malware will use the Accessibility service to find other elements (such as coin type and net type) and\r\nrecord their value.\r\nNext, CherryBlos will overlay a fake withdrawal view over the Binance app and fill in a pre-recorded value based\r\non user input. However, the actual address and withdrawal amount in the Binance app has already been modified\r\nat this point. Once the user proceeds with the withdrawal, the assets will be transferred to an attacker-controlled\r\naddress.\r\nhttps://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html\r\nPage 5 of 9\n\nopen on a new tab\r\nFigure 14. Using Accessibility service to add a view over the Binance app\r\nopen on a new tab\r\nFigure 15. Modifying the address where the funds will be transferred\r\nCollecting credentials from Pictures via optical character recognition (OCR)\r\nIf the EnableImage field in the configuration is set to true, CherryBlos will be able to read media files stored in\r\nthe external storage and use OCR to recognize potential mnemonic phrases in the pictures.\r\nFirst, CherryBlos will use the previously-mentioned auto click approach to request all sensitive permissions that\r\nare defined in manifest, which in this case is READ_EXTERNAL_STORAGE and\r\nWRITE_EXTERNAL_STORAGE.\r\nOnce granted, CherryBlos will perform the following two tasks:\r\n1. Read pictures from the external storage and use OCR to extract text from these pictures.\r\n2. Upload the OCR results to the C\u0026C server at regular intervals.\r\nopen on a new tab\r\nFigure 16. Timer task to upload the OCR stored in LitePal to the C\u0026C server)\r\n“Synthnet” app on Google Play\r\nhttps://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html\r\nPage 6 of 9\n\nDuring our investigation of a CherryBlos sample labelled as “Synthnet” (with a lowercase “n”), we found that its\r\ndownload page also includes a URL pointing to a Google Play app.\r\nThis app shares the same package name and label as the CherryBlos one, and its privacy policy listed in the\r\ndeveloper contact details also points to the phishing website.\r\nUpon further analysis, we found that it is a version of the app (3.1.17) without the CherryBlos malware embedded\r\nin it. However, we still believe that the app on Google Play was developed by the same threat actor, as it shares\r\nthe same app certificate with the CherryBlos one.\r\nSubject: O=FXrate\r\nValid From: 2021-11-05 09:45:39\r\nValid To: 2046-10-30 09:45:39\r\nSerial Number: 2054d373\r\nThumbprint: 78f5d0d751a5b3f7756317834b9fcb4227cb7fe3\r\nConnection to another ongoing money-earning scam campaign in Google Play\r\nWe also discovered that CherryBlos had connections to another similar campaign on Google Play. We have high\r\nconfidence in attributing the campaigns to the same perpetrator due to shared network infrastructure and app\r\ncertificates.\r\nFrom the language used by these samples, we determined that the threat actor doesn’t have a specific targeted\r\nregion, but targets victims across the globe, replacing resource strings and uploading these apps to different\r\nGoogle Play regions (such as Malaysia,  Vietnam, Indonesia, Philippines, Uganda, and Mexico).\r\nPivoting from the C\u0026C server 008c.hugeversapi[.]com, we discovered two additional apps, Huge and Saya, that\r\ncommunicated with huapi.hugeversapi[.]com and sy.hugeversapi[.]com respectively. The two apps share the same\r\napp certificate and have been uploaded to Google Play. One of these apps, Saya, is still online at the time of\r\nwriting.\r\nSubject:CN=goShop, OU=goShop, O=goShop, L=goShop, ST=goShop, C=goShop    \r\nValid From: 2020-11-07 12:22:35\r\nValid To: 2045-11-01 12:22:35\r\nSerial Number: 29be7603\r\nThumbprint: f76985062c394463e6a15e40bc2a48c5fb7fd6ba\r\nWe identified more apps sharing the same app certificate, all featuring shopping-related themes, claiming that\r\nusers could earn money by completing tasks and inducing user top-ups to gain more income. Figure 17 shows\r\nexamples of these apps.\r\nAlthough these apps appear to have complete functionality on the surface, we still found them exhibiting some\r\nabnormal behavior — specifically, All the apps are highly similar, with the only difference being the language\r\napplied to the user interface since they are derived from the same app template. We also found that the description\r\nof the apps on Google Play are also the same.\r\nhttps://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html\r\nPage 7 of 9\n\nFigure 19 and 20 show a comparison of the Canyon and Onefire apps, which target Uganda and Vietnam\r\nrespectively. Based on analysis of the resources, the only difference is the resource value: one uses Vietnamese,\r\nwhile the other uses English.\r\nA large number of users left bad reviews for these apps, claiming that they are fraudulent due to being unable to\r\nwithdraw after topping up.\r\nWe decided to categorize these apps as scam apps and gave them the name “FakeTrade.”\r\nWe were able to identify 31 apps in total, with samples uploaded to Google Play mostly in 2021 and the first three\r\nquarters of 2022. All malicious apps identified on Google Play have been removed as of writing. It is possible that\r\nthreat actors could be planning future campaigns using similar attack techniques.\r\nConclusion\r\nOur investigation uncovered a series of connected campaigns involving the CherryBlos malware and other fake\r\nmoney-earning apps on Google Play. The threat actor behind these campaigns employed advanced techniques to\r\nevade detection, such as software packing, obfuscation, and abusing Android’s Accessibility Service. These\r\ncampaigns have targeted a global audience and continue to pose a significant risk to users, as evidenced by the\r\nongoing presence of malicious apps on Google Play.\r\nTo defend against such mobile threats, users should adopt these best practices:\r\nOnly download apps from trusted sources and reputable developers. Check app ratings and reviews before\r\ninstalling and be cautious of apps with many negative reviews or reports of scams.\r\nApply the latest security patches and operating system updates for devices, as these often contain fixes for\r\nknown vulnerabilities.\r\nInstall and maintain a reputable mobile security solution to detect and block malware and other threats.\r\nBe cautious when granting permissions to apps, especially those requesting access to sensitive information\r\nor system settings.\r\nAvoid clicking on suspicious links or downloading attachments from unknown sources, as these could lead\r\nto malware infections or phishing attempts.\r\nBy following these recommendations, users can minimize risks related to mobile threats and help secure their\r\ndevices and personal information.\r\nTrend is part of Google’s App Defense Alliance (ADA), which enhances user security by detecting malicious apps\r\nprior to their release on the Google Play store. As part of this alliance, Trend, in partnership with Google, helps\r\nprotect users from malicious actors, keeping the world safer for exchanging digital information.\r\nIndicators of Compromise\r\nThe indicators of compromise for this blog entry can be found here.\r\nTags\r\nhttps://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html\r\nPage 8 of 9\n\nSource: https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html\r\nhttps://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" ], "report_names": [ "cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434037, "ts_updated_at": 1775826730, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a03d754cdd8d88f4c9509e1856b87def2624b67f.pdf", "text": "https://archive.orkl.eu/a03d754cdd8d88f4c9509e1856b87def2624b67f.txt", "img": "https://archive.orkl.eu/a03d754cdd8d88f4c9509e1856b87def2624b67f.jpg" } }