Trend Micro, a cybersecurity research firm, has discovered two malware strains specifically designed for Android devices, with one variant capable of exfiltrating data from images and photographs.

Trend Micro published a report on its official website revealing the recent discovery of two malware families: CheeryBlos and FakeTrade. Astonishingly, one found its way into Google Play, the certified app store for Android devices.

The researchers identified the two malicious applications as orchestrated by the same threat actor, leveraging identical network infrastructure and certificates. These malware strains hid within various apps, including SynthNet, that made their way into Google Play. As per a report by BleepingComputer, this app had been downloaded approximately 1,000 times before it was purged from the store.

Also Read: Cybercriminals Target Twitter Blue Subscribers Amid Platform’s Shift to X

However, Google Play wasn’t the only distribution channel for these malicious apps. The culprits exploited widespread distribution strategies like social media platforms and phishing sites, advertising the apps on platforms like Telegram, Twitter, and YouTube as artificial intelligence tools or cryptocurrency miners. Among these apps were GPTalk, Happy Miner, and Robot999. If these are installed on your devices, immediate removal is advised.

The primary objective of these malware strains was to pilfer essential data from infected devices, including any cryptocurrencies stored in mobile wallets. The malware accomplished this by overlaying crypto apps with a transparent or deceptive user interface to trick users into giving away their credentials to the culprits. They also hijacked the clipboard to replace the user’s crypto wallet address with an address controlled by the attackers.

Another sophisticated method employed was Optical Character Recognition (OCR), a feature in many high-end smartphones that allows the device to interpret text from a photo or image. Miscreants leveraged OCR to scan the photo gallery for useful images and exfiltrate the data to their command-and-control servers (C2).

While the malefactors did not specifically target any region, victims were predominantly located in Malaysia, Vietnam, Indonesia, the Philippines, Uganda, and Mexico, per the researchers’ findings.

Given the global popularity of cryptocurrencies, especially Bitcoin and Ether, the imminent Bitcoin halving event has many investors hoarding these digital currencies in anticipation of the following potential bull run. This situation leaves many individuals, particularly newcomers to the crypto market, susceptible to scams and cyber-attacks.