There is a constant struggle to clean the app stores of malware scams that attack users. This time, researchers discovered 9 apps that used a trick to steal Facebook passwords from Android users. The worst part is that these are not niche apps i.e. they have over 5.8 million downloads making the high number of users with their smartphones “engaged” already considerable.
Google has already deleted them after investigators at a security company discovered how criminals operate.
Social engineering to steal Facebook passwords
The scheme was simple from the point of view of gaining the trust of the user. According to the security company behind the discovery, the apps provided fully functional services for photo editing and framing, exercise and training, horoscopes, and deleting junk files from Android devices.
All of the identified apps offered users the option of opting out of in-app ads by logging into their Facebook accounts. Users who chose the option saw a real Facebook login form with fields for entering usernames and passwords.
How easy is the step to have a functional, free and ad-free application? Millions of people have fallen for this simple but effective ruse.
These Trojans used a special mechanism to deceive their victims. After receiving the necessary settings from one of the C&C servers at launch, they loaded the legitimate Facebook webpage https://www.facebook.com/login.php into WebView. They then loaded the JavaScript received from the C&C server into the same WebView.
This script was used directly to hijack the login credentials entered. After that, this JavaScript, using the methods provided via the JavascriptInterface annotation, passed the stolen login and password to the Trojan applications, which then forwarded the data to the attackers’ C&C server.
Once the victim logged into their account, the Trojans also stole the cookies from the current authorization session. These cookies were also sent to cybercriminals.
explained the investigators of the company Dr Web.
Mechanism could be used to steal passwords from any service
According to an expert analysis, all these malicious applications were responsible for stealing the usernames and passwords of Facebook accounts. However, the attackers could easily have changed the settings of the Trojans and ordered them to load the web page of another legitimate service.
In fact, with this mechanism, they could even have used a completely bogus login form located on a phishing site. Thus, Trojans could have been used to steal the usernames and passwords of any service.
Researchers have identified five variants of malware hidden in apps. Three of these were native Android apps, and the other two used Google’s Flutter framework, which was designed for cross-platform compatibility.
The security company said it classifies them all as the same Trojan because they use identical configuration file formats and identical JavaScript code to steal user data.
The variants identified by the company are:
Over 5.8 million downloads of Android apps containing malware
Most of the downloads went to an app called PIP Photo. This one has been downloaded over 5.8 million times. The next most ambitious application was Processing Photo, with over 500,000 downloads.
The other nominations were:
A Google Play search shows that all apps have been removed from the store. A Google spokesperson said the company has also banned the creators of the store’s nine apps, meaning they won’t be allowed to submit new apps.
Google wouldn’t have any other way to deal, even if it’s a soft action, because that’s not what will stop them. They can easily create a new account, with a different name, pay the $25, and try to cheat Google and Android users again. Easy, right?
Be careful if you have downloaded them to your smartphone
Anyone who has downloaded any of the above apps should carefully scan their device and Facebook accounts for any signs of an attack.
If you have possibly installed any of these apps on your Android, immediately remove and change your Facebook password.
