1. Home
  2. Software
  3. CherryBlos

CherryBlos

CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.[1]

ID: S1225
Type: MALWARE
Platforms: Android
Contributors: Liran Ravich, CardinalOps
Version: 1.0
Created: 25 June 2025
Last Modified: 23 October 2025
Version Permalink
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1453 Abuse Accessibility Features

After accessibility permissions are granted, CherryBlos has used the Accessibility Service to monitor when a wallet application launches and to steal credentials.[1]

Mobile T1437 .001 Application Layer Protocol: Web Protocols

CherryBlos has communicated with the C2 server using HTTPS.[1]

Mobile T1646 Exfiltration Over C2 Channel

CherryBlos has exfiltrated credentials collected from pictures that have been analyzed using optical character recognition (OCR).[1]

Mobile T1420 File and Directory Discovery

CherryBlos has accessed media files stored in external storage and has used optical character recognition (OCR) to recognize potential mnemonic phrases in pictures.[1]

Mobile T1541 Foreground Persistence

CherryBlos has utilized foreground services by showing a notification to evade detection.[1]

Mobile T1629 Impair Defenses

CherryBlos has sent the victim back to the home screen when the victim navigates to the malicious application's settings and has automatically approved any permission requests by clicking on the "Allow" button when a system dialogue appears.[1]

Mobile T1544 Ingress Tool Transfer

CherryBlos has received configuration files from the C2 server.[1]

Mobile T1417 Input Capture

CherryBlos has captured victims' credentials through predefined fake activities.[1]

Mobile T1655 Masquerading

CherryBlos has displayed masqueraded wallet applications if the EnabledUIMode field is set to true. CherryBlos has also displayed a fake user interface while victims make withdrawals in the legitimate Binance application if the EnableExchange field is set to true. The withdrawal transaction is ultimately transferred to the threat actor’s controlled address.[1]

Mobile T1406 .002 Obfuscated Files or Information: Software Packing

CherryBlos has used a commercial packer named Jiagubao to evade static detection.[1]

Mobile T1660 Phishing

CherryBlos has been distributed through the threat actors’ Telegram group, fake TikTok and Twitter accounts, and YouTube videos.[1]

Mobile T1424 Process Discovery

CherryBlos has used the Accessibility Service to monitor when a wallet application has launched.[1]
Mobile T1418 Software Discovery

CherryBlos has obtained a list of installed cryptocurrency wallet applications.[1]

References

  1. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.