Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1225: CherryBlos

CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.[1]

MobileS1225MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

CherryBlos matters because it represents mobile malware aimed at Android users that can steal credentials and redirect cryptocurrency to adversary-controlled wallets. For executives and security leaders, the practical issue is not only malware on a phone; it is whether the organization can identify risky mobile apps, detect abuse of Android accessibility features, and respond when personal or corporate mobile use intersects with credential, wallet, or business application access.

Executive priority

Prioritize this as a mobile identity and fraud-risk scenario. Leaders should ask whether Android devices used for work have app-source governance, mobile threat telemetry, and incident playbooks for suspected credential capture. If employees access corporate accounts, cryptocurrency workflows, or sensitive business systems from Android devices, CherryBlos-linked behaviors create decision points for IAM hardening, mobile security investment, user reporting paths, and audit evidence around mobile endpoint controls.

Technical view

ATT&CK lists CherryBlos as Android malware and relates it to input capture, software/process/file discovery, abuse of accessibility features, foreground persistence, web-protocol command and control, ingress tool transfer, defense impairment, exfiltration over C2, masquerading, phishing, and software packing. SOC and IR teams should validate whether they can see suspicious Android app installation paths, accessibility service enablement, foreground service behavior, unusual app enumeration, file/process discovery, web traffic to suspicious infrastructure, and data movement over the same channel used for command and control. Because no official detection text is provided, detection engineering should be based on the related ATT&CK behaviors and local mobile telemetry rather than a single signature.

Likely telemetry

  • Android mobile device management or mobile threat defense app inventory and install-source data
  • Android accessibility service enablement and permission-change events where available
  • Foreground service usage and persistent notification/app behavior where available
  • Mobile network telemetry for HTTP/HTTPS communications from suspicious or newly installed apps
  • App reputation, package metadata, signing, and masquerading indicators

Detection direction

  • Start by mapping current Android telemetry to the related ATT&CK techniques rather than assuming coverage from desktop EDR controls.
  • Tune for combinations of behaviors: newly installed or masquerading app plus accessibility abuse, discovery activity, persistent foreground behavior, and web-protocol communications is more meaningful than any one weak signal alone.
  • Review blind spots around personal or unmanaged Android devices, regional app availability, and apps obtained from official stores or lookalike branding, since the supplied description notes upload to different Google Play regions.
  • Account for false positives from legitimate accessibility tools, security apps, device-management agents, and apps that normally use foreground services or HTTPS communications.
  • Correlate mobile alerts with IAM events so suspected input capture can trigger credential reset, token revocation, and session review decisions.

Mitigation priorities

  • Enforce mobile app governance for Android devices that access corporate resources, including approved-source expectations and review of high-risk app permissions.
  • Harden identity controls with phishing-resistant authentication where feasible, conditional access, session monitoring, and rapid credential-reset procedures for suspected mobile input capture.
  • Limit and monitor accessibility service permissions, especially for non-assistive or newly installed apps.
  • Maintain mobile incident response playbooks that cover device isolation, app removal, credential rotation, wallet or payment workflow review, and preservation of mobile telemetry.
  • Educate users to report deceptive prompts, unsolicited app links, wallet redirection, and apps impersonating trusted services.
Analyst notes and limits

The supplied ATT&CK object does not specify tactics or official detection guidance, so this take is driven by the official malware description and the listed technique relationships. The business relevance is strongest where Android devices are used for corporate authentication, sensitive app access, cryptocurrency-related workflows, or unmanaged BYOD access.

This summary does not establish active exploitation, specific victim exposure, attribution, or guaranteed detection. Local device-management scope, mobile logging depth, IAM integration, and user population determine how much of this behavior an organization can actually observe.

Official MITRE ATT&CK definition

CherryBlos

CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

13 rows
Domain ID Name Relationship / procedure
Mobile T1541 Foreground Persistence

CherryBlos has utilized foreground services by showing a notification to evade detection.CitationTrendMicro_CherryBlos_July2023
Mobile T1453 Abuse Accessibility Features

After accessibility permissions are granted, CherryBlos has used the Accessibility Service to monitor when a wallet application launches and to steal credentials.CitationTrendMicro_CherryBlos_July2023
Mobile T1417 Input Capture

CherryBlos has captured victims' credentials through predefined fake activities.CitationTrendMicro_CherryBlos_July2023
Mobile T1424 Process Discovery

CherryBlos has used the Accessibility Service to monitor when a wallet application has launched.CitationTrendMicro_CherryBlos_July2023
Mobile T1418 Software Discovery

CherryBlos has obtained a list of installed cryptocurrency wallet applications.CitationTrendMicro_CherryBlos_July2023
Mobile T1660 Phishing

CherryBlos has been distributed through the threat actors’ Telegram group, fake TikTok and Twitter accounts, and YouTube videos.CitationTrendMicro_CherryBlos_July2023
Mobile T1420 File and Directory Discovery

CherryBlos has accessed media files stored in external storage and has used optical character recognition (OCR) to recognize potential mnemonic phrases in pictures.CitationTrendMicro_CherryBlos_July2023
Mobile T1629 Impair Defenses

CherryBlos has sent the victim back to the home screen when the victim navigates to the malicious application's settings and has automatically approved any permission requests by clicking on the "Allow" button when a system dialogue appears.CitationTrendMicro_CherryBlos_July2023
Mobile T1646 Exfiltration Over C2 Channel

CherryBlos has exfiltrated credentials collected from pictures that have been analyzed using optical character recognition (OCR).CitationTrendMicro_CherryBlos_July2023
Mobile T1406.002 Software Packing Sub-technique

CherryBlos has used a commercial packer named Jiagubao to evade static detection.CitationTrendMicro_CherryBlos_July2023
Mobile T1655 Masquerading

CherryBlos has displayed masqueraded wallet applications if the EnabledUIMode field is set to `true`. CherryBlos has also displayed a fake user interface while victims make withdrawals in the legitimate Binance application if the EnableExchange field is set to `true`. The withdrawal transaction is ultimately transferred to the threat actor’s controlled address.CitationTrendMicro_CherryBlos_July2023
Mobile T1544 Ingress Tool Transfer

CherryBlos has received configuration files from the C2 server.CitationTrendMicro_CherryBlos_July2023
Mobile T1437.001 Web Protocols Sub-technique

CherryBlos has communicated with the C2 server using HTTPS.CitationTrendMicro_CherryBlos_July2023
Relationship explorer

All related ATT&CK context

uses · Technique T1541: Foreground Persistence Mobile uses · Technique T1453: Abuse Accessibility Features Mobile uses · Technique T1417: Input Capture Mobile uses · Technique T1424: Process Discovery Mobile uses · Technique T1418: Software Discovery Mobile uses · Technique T1660: Phishing Mobile uses · Technique T1420: File and Directory Discovery Mobile uses · Technique T1629: Impair Defenses Mobile uses · Technique T1646: Exfiltration Over C2 Channel Mobile uses · Technique T1406.002: Software Packing Mobile uses · Technique T1655: Masquerading Mobile uses · Technique T1544: Ingress Tool Transfer Mobile uses · Technique T1437.001: Web Protocols Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ea312dec6681ec39...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ea312dec6681…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TrendMicro_CherryBlos_July2023

    Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.

    Open source URL
  2. [2]
    mitre-attack S1225
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use