On Android, a virus was found that recognizes characters in screenshots to steal data

Information security experts from Trend Micro discovered rare Android malware. It's called Cherry Blos. Attackers use it to steal user credentials.

The virus is embedded in dozens of applications that are distributed mainly through sites that advertise fraudulent schemes. Some of them were also on Google Play, but without the content of the Trojan.

These applications carefully hide their malicious functionality and use the paid version of the Jiagubao software to encrypt their code. In addition, they have built-in tools that guarantee continuous activity on infected phones.

CherryBlos works like this: when a user opens the official applications of cryptocurrency services, the virus launches fake alerts that I simulate real windows on the smartphone screen, and during the withdrawal of funds, it changes the wallet address chosen by the victim to an address controlled by attacker.

The most interesting aspect, experts call a rare, if not new feature that allows the virus to intercept the passphrases used to gain access to the account. When the official app displays it on the phone, the malware first takes a screenshot and then uses optical character recognition (OCR) to translate an image into a text format that can be used for hacking.

Most financial applications use a tool that prevents a screenshot from being taken during transactions or other sensitive transactions. But CherryBlos seems to bypass these blocks too. Apparently it somehow gets the access permission used for people with visual impairments or other disabilities.

On Google Play, experts found four main and dozens of additional applications. None of them contained a malicious load, however, they have already been removed from the marketplace. The virus is supposedly found only in their web versions. The entire list can be viewed Here.