As per a recent report, Google has pulled out 9 malicious Android apps from the Google Play Store that are stealing Facebook users login and passwords. One of the apps from the list had millions of users that disabled in-app ads by logging into their Facebook account.
Google LLC has finally discarded all these 9 Android apps from the Play Store, first discovered by Doctor Web’s malware analysts. According to its reports, these malicious apps were stealing Facebook users’ credentials, including logins and passwords details. These stealer trojans were spread as harmless software and were installed more than 5,856,010 times.
However, the analysts have discovered a total of 10 trojan apps out of which 9 were available on Google Play. Processing Photo which is a photo editing software was found as Android.PWS.Facebook.13 was spread by the developer chikumburahamilton. It was installed over 500,000 times.
Also Read: Google Drive security issue could disguise malicious files into legitimate documents
The report stated that “applications that enabled access limitations for using other software installed on Android devices: App Lock Keep from the developer Sheralaw Rence, App Lock Manager from the developer Implummet col, and Lockit Master from the developer Enali mchicolo―all detected as Android.PWS.Facebook.13. They were downloaded at least 50,000, 10 and 5,000 times respectively.”
Another Rubbish Cleaner from the developer SNT.rbcl which poses as a utility to optimize the Android device performance was identified as Android.PWS.Facebook.13 has been downloaded over 100,000 times.
Astrology programs- Horoscope Daily from the developer HscopeDaily momo and Horoscope Pi from the developer Talleyr Shauna, are also detected as Android.PWS.Facebook.13. The former one is said to have more than 100,000 installs while the latter―more than 1,000 installs.
Also Read: Google discovered and removed more than 500 malicious Chrome extension
After identifying the web security specialist reported to Google. Then Google took the initiative to remove part of these malicious applications from Google Play.
Doctor Web reported that its specialists during the investigation of these stealer trojans or applications have discovered that an earlier modification that was spread through Google Play under the guise of an image editing software called EditorPhotoPip, which has already been removed from the official Android app store but still available on software aggregator websites. This modification was added to the Dr.Web virus database as Android.PWS.Facebook.15.
Moreover the Android.PWS.Facebook.13, Android.PWS.Facebook.14, and Android.PWS.Facebook.15 are identified as native Android apps whereas the Android.PWS.Facebook.17 and Android.PWS.Facebook.18 are utilizing the Flutter framework designed for cross-platform development. As per the report, all these can be considered modifications of the same trojan since they use identical configuration file formats and identical JavaScript scripts to steal user data.
Throwing some more light these Android apps were functional and are said to weaken the vigilance of potential victims to access all of the apps’ functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts. Over that, the advertisements inside some of the apps were indeed present. This operation was done to further encourage Android device owners to perform the required actions. Allowing that users agreed and clicked the login button, they saw a standard social network login form. At once it will look like a genuine login form but these trojans used a special mechanism to fool their victims. After receiving the required settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView.
Reportedly this script was directly used to take over the entered login credentials. From there on, this JavaScript, using the methods provided through the JavascriptInterface annotation, moved the stolen login and password to the trojan applications, which then transmitted the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.
Investigation revealed that they all received settings for stealing logins and passwords of Facebook accounts. Having said that, the attackers could have easily changed the trojans’ settings and commanded them to load the web page of another legitimate service. They could have even used a completely sham login form located on a phishing site. Hence, the trojans could have been utilised to steal logins and passwords from any service.
How to identify and stay protected from malicious Android apps?
It is recommended that Android users should always install apps from known sources or trusted developers on Google Play. They should also watch out for other user reviews. Though the review could not be considered genuine and does not guarantee that apps are harmless but can still alarm you about potential threats. You should also be careful when and which app asks you to login into your account. If still unclear you should better not install the app or when found something suspicious you should immediately uninstall the program from your device.
For the latest gadget and tech news, and gadget reviews, follow us on Twitter, Facebook and Instagram. For newest tech & gadget videos subscribe to our YouTube Channel. You can also stay up to date using the Gadget Bridge Android App.
