These Android apps could have stolen your Facebook password
Google has withdrawn nine Android apps with a combined total of more than 5.8 million Playstore downloads. Researchers found that these apps could steal their users’ Facebook credentials.
The Security experts from Dr. Web identified nine Android apps that at first glance offered useful services, but were ultimately only interested in the theft of their users’ Facebook credentials. In order to increase the trust of their users and lower their alertness threshold, the apps had implemented fully functional services for photo editing, fitness, horoscopes and removing junk files.
Contents
The attackers stole the Facebook data
All identified apps offered users the option to opt out of in-app advertising by logging into their Facebook account. Users who chose this option were shown a real Facebook login form with fields for entering usernames and passwords.
What was particularly perfidious about the procedure was that the login page actually represented the original Facebook page in the Webview. In order to get to the user data, the attackers loaded their own Javascript into the same web view. This script only had the task of accessing the entered data and sending it to the attackers. After successfully logging in to Facebook, the Javascript also stole the cookies from the current authorization session. These cookies were also sent to the cyber criminals.
The analysis of the malware by Dr. Web found that while the apps were limited to stealing logins and passwords from Facebook accounts. However, the attackers could easily have changed the settings of the apps and instructed them to load the website of another service. According to Dr. It has even been possible for the web to use a completely fake registration form located on a phishing site. The apps could have been used to steal logins and passwords from any service.
9 apps with 5 malware variants, but one purpose
In the nine Android apps, the Dr. Web experts five different malware variants. Three of them were native Android apps, the other two used Google’s Flutter framework. Despite their technical differences, Dr. Web classified them all as the same procedure.
The most successful Trojan horse app is called PIP Photo. It alone has been downloaded more than five million times. Another photo editing application called Processing Photo followed in second place with more than 500,000 downloads. The apps Rubbish Cleaner, Inwell Fitness, Horoscope Daily, App Lock Keep, Lockit Master, Horoskop Pi and App Lock Manager were also affected with around 100,000 downloads and below.
Google removes apps, blocks developers
In the meantime, Google has not only removed all of these apps from the Playstore, but also deleted the developer accounts of their operators. So theoretically they cannot submit new apps. On the other hand, the hurdles for creating new accounts are very low. Therefore, the cyber criminals could simply set up a new developer account under a different name for a one-time fee of 25 US dollars.
If you are familiar with one of the apps mentioned, you should now see whether there are any signs that your Facebook account may have granted unauthorized access. In any case, it doesn’t hurt to change the account’s password. It also makes more and more sense to opt for a malware scanner and install the corresponding app on your own device.
