Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns

This app shares the same package name and label as the CherryBlos one, and its privacy policy listed in the developer contact details also points to the phishing website.

Upon further analysis, we found that it is a version of the app (3.1.17) without the CherryBlos malware embedded in it. However, we still believe that the app on Google Play was developed by the same threat actor, as it shares the same app certificate with the CherryBlos one.

Subject: O=FXrate
Valid From: 2021-11-05 09:45:39
Valid To: 2046-10-30 09:45:39
Serial Number: 2054d373
Thumbprint: 78f5d0d751a5b3f7756317834b9fcb4227cb7fe3

We also discovered that CherryBlos had connections to another similar campaign on Google Play. We have high confidence in attributing the campaigns to the same perpetrator due to shared network infrastructure and app certificates.

From the language used by these samples, we determined that the threat actor doesn’t have a specific targeted region, but targets victims across the globe, replacing resource strings and uploading these apps to different Google Play regions (such as Malaysia,  Vietnam, Indonesia, Philippines, Uganda, and Mexico).

Pivoting from the C&C server 008c.hugeversapi[.]com, we discovered two additional apps, Huge and Saya, that communicated with huapi.hugeversapi[.]com and sy.hugeversapi[.]com respectively. The two apps share the same app certificate and have been uploaded to Google Play. One of these apps, Saya, is still online at the time of writing.

Subject:CN=goShop, OU=goShop, O=goShop, L=goShop, ST=goShop, C=goShop    
Valid From: 2020-11-07 12:22:35
Valid To: 2045-11-01 12:22:35
Serial Number: 29be7603
Thumbprint: f76985062c394463e6a15e40bc2a48c5fb7fd6ba

We identified more apps sharing the same app certificate, all featuring shopping-related themes, claiming that users could earn money by completing tasks and inducing user top-ups to gain more income. Figure 17 shows examples of these apps.

Read More HERE