UPDATED 22:15 EST / JULY 04 2021

SECURITY

Nine apps stealing Facebook login credentials pulled from Google Play

Google LLC has removed nine Android apps from the Play store, including one with millions of users, after they were discovered to be stealing users’ Facebook Inc. login credentials.

Discovered and detailed July 1 by malware analysts at Dr. Web, the apps, described as “stealer Trojans,” were spread as harmless software and were installed nearly 6 million times. Unlike some previous cases where malicious Android apps have been discovered, the apps in this case all provided legitimate services such as photo editing and framing, exercise and training, horoscopes and junk file removal.

Apps included PIP Photo with up to 5 million installs; Processing Photo with up to 500,000 installs; Rubbish Cleaner, Horoscope Daily and Inwell Fitness with up to 100,000 installs; and App Lock Keep with up to 50,000 installs. Lockit Master, Horoscope Pi and App Lock Manager rounded out the list.

Commonly between the apps, users were offered the ability to disable in-app ads by logging into their Facebook account. The analysts noted that “the advertisements inside some of the apps were indeed present and this maneuver was intended to further encourage Android device owners to perform the required actions.”

App users selecting the option were then presented with a standard Facebook login but with a difference: The genuine Facebook login page was shown in WebView with JavaScript also loaded to hijack the entered login credentials.

When users entered their Facebook login details, the JavaScript would then send the credentials to the attacker’s command-and-control server, while the users would be none the wiser, having successfully logged into Facebook. After the victims logged into their account, the Trojan also stole cookies from the current authorization sessions.

Although those behind the apps targeted Facebook accounts, they could have targeted accounts on other services. “The attackers could have easily changed the trojans’ settings and commanded them to load the web page of another legitimate service,” the analysts explained. “They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service.”

Google has not made a public statement on the apps yet. Ars Technica reported Friday that the apps have been removed from the store. A Google spokesperson told Ars Technica that the developers of the apps have also been banned.

Image: Dr. Web

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU