Heads up, Android users! A new wave of malicious Android apps appeared on the Google Play Store aimed at stealing users’ Facebook credentials. Google has since removed those apps, make sure to delete them from your devices, too (if installed).
Android Apps Stealing Facebook Credentials
Researchers from Dr. Web found another bunch of malicious apps flooding the Android Play Store. This time, they found at least 10 different trojanized apps aiming at stealing Facebook credentials of Android users. These include apps belonging to different niches and offering different services, such as photo editing, phone management, fitness, and astrology.
As elaborated in their report, the researchers noticed the following apps exhibit the trojanized versions.
Here’s a quick list of those apps with other details.
App Name | Developer | Detected Package | No. of Downloads |
Processing Photo | chikumburahamilton | Android.PWS.Facebook.13 | 500,000+ |
App Lock Keep | Sheralaw Rence | Android.PWS.Facebook.13 | 50,000 |
App Lock Manager | Implummet col | Android.PWS.Facebook.13 | 10 |
Lockit Master | Enali mchicolo | Android.PWS.Facebook.13 | 5,000 |
Rubbish Cleaner | SNT.rbcl | Android.PWS.Facebook.13 | 100,000+ |
Horoscope Daily | HscopeDaily momo | Android.PWS.Facebook.13 | 100,000+ |
Horoscope Pi | Talleyr Shauna | Android.PWS.Facebook.13 | 1,000+ |
Inwell Fitness | Reuben Germaine | Android.PWS.Facebook.14 | 100,000+ |
PIP Photo | Lillians | Android.PWS.Facebook.17 and Android.PWS.Facebook.18 | 5,000,000+ |
How Did The Apps Stole Facebook Login?
Briefly, the apps exhibited normal functionality, thus ruling out any suspicion for users. The apps then would ask users to log in via their Facebook account to remove ads and experience the full app functionality.
At this point, again, things would appear normal since the apps used to load the legit Facebook login page to the users. Nonetheless, the app would utilise additional JavaScript to send the credentials to the attackers’ C&C in the background.
As stated in the post,
These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to highjack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server.
Besides login credentials, the apps also stole users’ session cookies.
While the apps remained focused on Facebook accounts, the researchers could observe that the attackers could exploit the same functionality to steal any other site’s account credentials.
One of the IoCs, Android.PWS.Facebook.15, hint at the potential Chinese origin of the threat actors.
The Android.PWS.Facebook.15 malicious program that turned out to be an earlier modification of the trojans, is identical to the others. However, it contains additional functionality to output the data into the log in Chinese, which may indicate its possible origin.
How To Detect Malicious Android Apps?
Given the huge customer base, Android devices remain vulnerable to cyber threats, including the appearance of malicious apps now and then.
Therefore, to protect themselves against such threats, Android users must keep their devices loaded with robust antivirus solutions.
Besides, it’s always wise to keep an eye on how the apps behave, what permissions they ask for, and the kind of credentials they require you to enter.
Moreover, as Dr, Web advised,
If you are not sure that what you are doing is safe, it would be better for you not to proceed any further and uninstall the suspicious program.
Also, make sure to protect your smartphone from cybercriminals by following the best practices.
Let us know your thoughts in the comments.