9 Trojan Apps With 5.8 Million Downloads Discovered on Play Store

  • A new batch of nine trojan apps for Android with millions of downloads has been discovered.
  • The apps were deploying ways to convince users to log in with their Facebook account.
  • The actors then stole the credentials and either sold them to others or used them to take over accounts.

Researchers at Doctor Web’s have discovered ten malicious trojan apps that steal Facebook credentials, nine of which were available on the Google Play Store, Android’s official app space. In total, the trojans were downloaded more than 5.85 million times, so they have already reached a very wide audience. Dr. Web has reported this to Google, and several of these apps have since been removed, but not all of them.

Here are the apps that are hiding the info-stealing functionality behind something else:

  • Processing Photo
  • App Lock Keep
  • Rubish Cleaner
  • Horoscope Daily
  • Horoscope Pi
  • App Lock Manager
  • Lockit Master
  • Inwell Fitness
  • PIP Photo

The front-facing functionality of these apps was complete so as not to raise any alarms to the victims. In all cases, the apps asked the user to login to it by using their Facebook account, which is considered normal in general. To further convince the users to log in to their Facebook account, the apps delivered ads that they promised to disable if the victim registered on the platform through social media.

Source: Dr. Web

Obviously, whatever credentials entered on the login forms go directly to the C&C controlled by the actors who then take control of the Facebook accounts or sell the stolen usernames and passwords to others. In most cases, the victim wouldn’t realize the trickery until it was too late.

It goes without saying that if you happen to have any of the above apps installed on your device, you should remove it immediately, run a complete AV scan to unearth any remaining files, and then reset your Facebook account password.

This is a perfect example of why users shouldn't blindly trust the Play Store, let alone third-party app stores. Unfortunately, Trojans like the above can find ways into the official Android store, either by effectively hiding their info-stealing functionality or by introducing it through post-installation updates.

Whenever you are downloading something from the Play Store, check user reviews, consider the developer's details, visit their website, and generally try to evaluate if the app is looking legit or not. Do not grant permissions willy-nilly, and always keep your phone up to date and protected with a mobile security solution from a trusty vendor.

Latest
How to Watch With Love Season 2 Online from Anywhere
It looks like With Love Season 2 is promising fans romance, drama, and loads of surprises for the Diaz family, starting with...
How to Watch Britain’s Got Talent 2023 Online Free: Live Stream BGT Season 16 From Anywhere
Britain's Got Talent returns in 2023 with a brand new awesome season, and you’ll be able to stream the show online from...
How to Watch Shiny Happy People: Duggar Family Secrets Online – Stream the Docuseries from Anywhere
Shiny Happy People: Duggar Family Secrets is a new documentary series about The Duggar family and their 19 kids and counting. We...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari