Mateusz Slodkowski / SOPA Images / LightRocket via Getty Images

Google has kicked off nine Android apps that have been downloaded more than 5.8 million times from the company’s site. Play at the market after researchers said these apps used a sneaky way to steal users’ Facebook login credentials.

In an effort to gain users’ trust and let their guard down, the apps have provided fully functional services for photo editing and framing, exercise and training, horoscopes, and removal of junk files from devices. Android, according to a Publish published by security company Dr. Web. All of the apps identified offered users the option of opting out of in-app ads by logging into their Facebook accounts. Users who chose the option saw a real Facebook login form with fields for entering usernames and passwords.

Then, as the researchers at Dr Web wrote:

These Trojans used a special mechanism to deceive their victims. After receiving the necessary settings from one of the C&C servers at launch, they loaded the legitimate Facebook webpage into WebView. Then they loaded the JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the login credentials entered. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed the stolen login and password to the Trojan applications, which then forwarded the data to the attackers’ C&C server. Once the victim logged into their account, the Trojans also stole the cookies from the current authorization session. These cookies were also sent to cybercriminals.

Malware analysis showed that they were all given settings to steal Facebook account IDs and passwords. However, the attackers could easily have changed the settings of the Trojans and ordered them to load the web page of another legitimate service. They could even have used a completely bogus login form located on a phishing site. Thus, Trojans could have been used to steal the usernames and passwords of any service.

Dr. The canvas

Researchers have identified five variants of malware hidden in apps. Three of them were native Android apps, and the other two used Google’s. Floating frame, which is designed for cross-platform compatibility. Dr. Web has stated that he classifies them all as the same Trojan horse because they use identical configuration file formats and identical JavaScript code to steal user data.

Dr Web identified the variants as follows:

The majority of downloads were for an app called PIP Photo, which has been viewed over 5.8 million times. The application with the second largest reach was Photo processing, with more than 500,000 downloads. The remaining applications were:

A search on Google Play shows that all apps have been removed from Play. A Google spokesperson said the company has also banned the developers of the store’s nine apps, meaning they won’t be allowed to submit new apps. This is the right thing for Google to do, but it still poses only a minimal obstacle for developers as they can simply create a new developer account under a different name for a one-time fee of $ 25.

Anyone who has downloaded any of the above apps should carefully examine their device and Facebook accounts for any signs of compromise. Downloading a free Android antivirus app from a well-known security company and looking for other malicious apps isn’t a bad idea either. the Malwarebytes offer is my preferred.


Please enter your comment!
Please enter your name here