S1225 CherryBlos
CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.1
| Item | Value |
|---|---|
| ID | S1225 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 25 June 2025 |
| Last Modified | 23 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1453 | Abuse Accessibility Features | After accessibility permissions are granted, CherryBlos has used the Accessibility Service to monitor when a wallet application launches and to steal credentials.1 |
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | CherryBlos has communicated with the C2 server using HTTPS.1 |
| mobile | T1646 | Exfiltration Over C2 Channel | CherryBlos has exfiltrated credentials collected from pictures that have been analyzed using optical character recognition (OCR).1 |
| mobile | T1420 | File and Directory Discovery | CherryBlos has accessed media files stored in external storage and has used optical character recognition (OCR) to recognize potential mnemonic phrases in pictures.1 |
| mobile | T1541 | Foreground Persistence | CherryBlos has utilized foreground services by showing a notification to evade detection.1 |
| mobile | T1629 | Impair Defenses | CherryBlos has sent the victim back to the home screen when the victim navigates to the malicious application’s settings and has automatically approved any permission requests by clicking on the “Allow” button when a system dialogue appears.1 |
| mobile | T1544 | Ingress Tool Transfer | CherryBlos has received configuration files from the C2 server.1 |
| mobile | T1417 | Input Capture | CherryBlos has captured victims’ credentials through predefined fake activities.1 |
| mobile | T1655 | Masquerading | CherryBlos has displayed masqueraded wallet applications if the EnabledUIMode field is set to true. CherryBlos has also displayed a fake user interface while victims make withdrawals in the legitimate Binance application if the EnableExchange field is set to true. The withdrawal transaction is ultimately transferred to the threat actor’s controlled address.1 |
| mobile | T1406 | Obfuscated Files or Information | - |
| mobile | T1406.002 | Software Packing | CherryBlos has used a commercial packer named Jiagubao to evade static detection.1 |
| mobile | T1660 | Phishing | CherryBlos has been distributed through the threat actors’ Telegram group, fake TikTok and Twitter accounts, and YouTube videos.1 |
| mobile | T1424 | Process Discovery | CherryBlos has used the Accessibility Service to monitor when a wallet application has launched.1 |
| mobile | T1418 | Software Discovery | CherryBlos has obtained a list of installed cryptocurrency wallet applications.1 |