A Russian malware on the Play Store! It steals your Facebook data…
The apps on your phones aren’t always what they make you think they are. Some are set up by hackers who, through more ingenious means than each other, attack your data and your bank accounts. We talk about it here week after week and we have the impression, unfortunately for users and innocent victims, that we are far from having finished dealing with the subject. We were talking about the damage caused by the Escobar malware a few days ago, but today we are going to look at another threat, well hidden in a photo editing app.
Contents
Read also: HermeticWiper: Russian malware attacks Ukraine and France
Facestealer: don’t lose face!
The Mobile Security Company Pradeo indeed announced to have discovered thata well-established app on the Play Store contained malware known in the industry as Facestealer. The latter is not new, even if its appearances are sporadic on the malware scene. Its operation is very simple. You download and open the infected program and it tells you that you need to connect to Facebook. One click and you find yourself on an external web page that asks you to identify yourself. Once this is done, your information is sent to the hackers’ server located on a domain in Russia that has already been active for many years, as the Pradeo team explains:
Our research shows that this domain has been in use for seven years, intermittently, and has been connected to multiple mobile apps that were available on Google Play for a while and then removed.
The receptacle recently chosen by Facestealer was Craftsart Cartoon Photo Tools, an application downloaded by more than 100,000 people and which escaped the vigilance of the Play Store police.
Pradeo researchers tell us why:
The app mimics the behavior of legitimate photo editing apps. In fact, it was injected with a small piece of code that easily slips under the radar of store saves.
Alas, cut off the Trojan horse’s head and it’s a safe bet that it will tirelessly grow back in another form.
Also read: SharkBot: these antiviruses hide malware!
App app app hurrah!
As we are explained in the post, cybercriminals indeed use repackaging technique to keep their stable alive. They just have to copy the code of an application and bring it back to life under a new identity and with a brand new icon. Sometimes, this practice is even automated and the publication of the programs hosting Facestealer is done by itself at regular intervals on the stores. Once the credentials are retrieved, hackers use the hacked Facebook accounts to spend your money and contact your friends to share phishing links with them. Even more vicious, some also take advantage of it to launch disinformation campaigns.
Today, Craftsart Cartoon Photo Tools has been banned from play store but most likely you can still find it in alternative stores that are much less careful about the quality of the applications they offer. Beware of it like the plague and, if you had the misfortune to download it, uninstall it on the spot and make it disappear into the limbo of your memory.
