Indicators of Compromise --------------------------------------------------------------------------------------------------------------------------------- Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns --------------------------------------------------------------------------------------------------------------------------------- CherryBlos --------------------------------------------------------------------------------------------------------------------------------- SHA256 Label Detection name Version 63e0404b709945058b4ec8dde7b9d58d08754fd3d7db040acdf35a5f9989de03 Robot 999 AndroidOS_CherryBlos.GCL 1.0 8271e9310ba83ae81f78fc7d614e6e80439faebaefa156cda41a7d92b03d6f57 GPTalk AndroidOS_CherryBlos.GCL 3.1.14 83e13b34b115ed432ee7b33fe215c533fcb2e0f5ec0054a577af28a262e4708e SynthNet AndroidOS_CherryBlos.GCL 3.1.16 fa22cd5be2af34cfc3ee777537fb20bf18aae393a228bdccf958785f8bdd22bf SynthNet AndroidOS_CherryBlos.GCL 3.1.18 1366b928506c24f6f41faf69d27cff4e90ea33f4ad86b7d404144ac8f12020b4 SynthNet AndroidOS_CherryBlos.GCL 3.1.19 885b24b4b170b86c5c963324a78f9525b758bdec0bd4c254d7c1083a43e0e3be Happy Miner AndroidOS_CherryBlos.GCL 1.0 --------------------------------------------------------------------------------------------------------------------------------- Domain/URL Description --------------------------------------------------------------------------------------------------------------------------------- 008c.hugeversapi.com C&C server chatgptc.io Phishing gptc.m1m1mapi.com C&C server happyminder.buzz Phishing https://dl.chatgptc.io/gptalkwallet.apk Malware download URL https://dl.synthnet.ai/synthnet.apk Malware download URL https://happyminder.buzz/happyminer.apk Malware download URL https://www.robot999.net/robot999.apk Malware download URL robot999.net Phishing synthnet.ai Phishing synthnet.m1m1mapi.com C&C server wapi.hugeversapi.com C&C server --------------------------------------------------------------------------------------------------------------------------------- Attacker-controlled cryptocurrency addresses --------------------------------------------------------------------------------------------------------------------------------- Coin Type Address Chain Type USDT/USDC 0x7cb460e143c4ae66b30397372be020c09fbdff3e ERC20 TRcSgdsPZAmqRZofLnuWc5t6tRm6v7FZfR TRC20 0x7cb460e143c4ae66b30397372be020c09fbdff3e BEP20 BNB 0x7cb460e143c4ae66b30397372be020c09fbdff3e BEP20 BTC 1MstmvhmcRbMvcknmXwW81fmoenTozTWVF Bitcoin ETH 0x7cb460e143c4ae66b30397372be020c09fbdff3e ERC20 TRX TRcSgdsPZAmqRZofLnuWc5t6tRm6v7FZfR TRC20 --------------------------------------------------------------------------------------------------------------------------------- SynthNet App on Google Play --------------------------------------------------------------------------------------------------------------------------------- SHA256 Label Detection name Version 8a01025d4ee1c9649d86ff74864c580a1773deb77b469dc1439e410ecff595e3 SynthNet AndroidOS_CherryBlos.A 3.1.16 --------------------------------------------------------------------------------------------------------------------------------- FakeTrade (Detected as AndroidOS_FakeTrade.HRXB) --------------------------------------------------------------------------------------------------------------------------------- (N/A means that the app is likely to have never been uploaded to Google Play) Label Package Name Release Date Release Country Status AMA com.mhanza.malay 2022-07-29 Malaysia Removed BBShop com.sunny.verynice 2021-11-03 Argentina Removed Canyon com.canyon.wgd 2023-04-12 Uganda Removed Compass com.example.indonesia N/A N/A N/A Compose com.example.vietnam N/A N/A N/A Domo com.mramyr.myrapp 2022-12-29 Malaysia Removed Envoy com.cpyn.indonesia 2021-02-02 Indonesia Removed Fair com.zafgs.trosa 2022-08-25 South African Removed FIRETOSS com.rebirth.mexico 2021-06-03 Mexico Removed Gobuy com.ancientcoins.chic 2021-11-10 Portugal Removed GoDo com.montoe.mashins 2023-01-13 Mexico Removed Goshop com.gsrb.mexico 2021-09-05 Mexico Removed Huge com.spicys.incenses 2022-08-08 Nigeria Removed Koofire com.mhanza.rombo 2022-06-21 Ukraine Removed Leefire com.ilive.philippines 2022-03-10 Philippines Removed Moshop com.victory.regrets 2022-01-09 Colombia Removed Moshop com.colombia.mexico 2021-10-29 Colombia Removed NtBuy com.miracle.gsbx 2021-11-14 Brazil Removed Onefire com.grouped.mounta 2023-02-23 Vietnam Removed Papaya com.gsiran.papaya 2023-02-16 Iran Removed Pudding com.warnse.prevtionse N/A N/A N/A Saya com.ftegpt.shopsaya 2022-12-09 Egypt Removed Sengre com.weird.transla N/A N/A N/A Smartz com.yt.bra 2021-03-31 Brazil Removed Tango com.derecu.ecuapp N/A N/A N/A Timeshop com.turkey.gstk N/A N/A N/A Tinuiti com.hope.indonesia N/A N/A N/A Upwork com.ilivego.mexico N/A N/A N/A Upwork com.ibelieve.sunlight 2022-03-04 Colombia Removed WebFx com.squares.castled 2022-09-27 Bangladesh Removed WebFX com.lepin.bengali N/A N/A N/A Youtech com.rebirth.thailand 2021-07-23 Thailand Removed Youtech com.ytyn.indonesia 2021-03-11 Indonesia Removed Youtech com.cpmx.mexico N/A N/A N/A