After researchers discovered that these apps could steal Facebook login credentials, Google has removed nine Android apps from its Play marketplace.
According to Dr., the apps were designed to gain users’ trust and lower their security guards. Web. All the apps identified offered users the option to disable in-app ads by logging into Facebook. The authentic Facebook login page was displayed to users who selected this option. It contained fields to enter usernames and passwords.
As Dr. Web researchers wrote:
To trick their victims, these trojans used a unique mechanism. After receiving the settings from the C&C server upon launch, they loaded the authentic Facebook page https://www.facebook.com/login.php to WebView. Next, they loaded JavaScript from the C&C server to the same WebView. This script was used to steal the login credentials. Using the JavascriptInterface annotation methods, this JavaScript passed the stolen password and login details to the trojan apps. The attackers then received the data from the C&C server. The trojans stole cookies from the current authorization session after the victim logged in to their account. These cookies were also sent out to cybercriminals.
Analyzing the malicious programs revealed that they had settings to steal logins and passwords from Facebook accounts. The attackers could have changed the settings of the trojans and told them to load a page from another legitimate service. The attackers could have used even a fake login page. The trojans could have been used for stealing logins and passwords from any website.
Five malware variants were found in the apps by researchers. The three native Android apps were found, while the two remaining used Google’s Flutter framework. This is designed to be cross-platform compatible. Dr. Web stated that all Trojans are the same trojan, as they all use identical JavaScript codes to steal user data and configuration files.
Most of the downloads were for PIP Photo, which was downloaded more than 5 million times. Processing Photo was the app with the second-highest downloads, with over 500,000. The rest of the apps were:
Google Play searches show that all the apps have been removed. A Google spokesperson stated that all developers of the nine apps had been removed from Google Play. This means they won’t be permitted to create new apps. Although it is the right thing to Google, the developer can still sign up for a new account under a different name and pay $25 for it.
Anyone who downloaded any of these apps should carefully examine their device and their Facebook accounts to see any indications of compromise. In addition, it’s a good idea to download an Android antivirus app from a trusted security company and scan for malicious apps. Malwarebytes’ offering is my favorite.