- A new batch of nine trojan apps for Android with millions of downloads has been discovered.
- The apps were deploying ways to convince users to log in with their Facebook account.
- The actors then stole the credentials and either sold them to others or used them to take over accounts.
Researchers at Doctor Web’s have discovered ten malicious trojan apps that steal Facebook credentials, nine of which were available on the Google Play Store, Android’s official app space. In total, the trojans were downloaded more than 5.85 million times, so they have already reached a very wide audience. Dr. Web has reported this to Google, and several of these apps have since been removed, but not all of them.
Here are the apps that are hiding the info-stealing functionality behind something else:
- Processing Photo
- App Lock Keep
- Rubish Cleaner
- Horoscope Daily
- Horoscope Pi
- App Lock Manager
- Lockit Master
- Inwell Fitness
- PIP Photo
The front-facing functionality of these apps was complete so as not to raise any alarms to the victims. In all cases, the apps asked the user to login to it by using their Facebook account, which is considered normal in general. To further convince the users to log in to their Facebook account, the apps delivered ads that they promised to disable if the victim registered on the platform through social media.
Obviously, whatever credentials entered on the login forms go directly to the C&C controlled by the actors who then take control of the Facebook accounts or sell the stolen usernames and passwords to others. In most cases, the victim wouldn’t realize the trickery until it was too late.
It goes without saying that if you happen to have any of the above apps installed on your device, you should remove it immediately, run a complete AV scan to unearth any remaining files, and then reset your Facebook account password.
This is a perfect example of why users shouldn't blindly trust the Play Store, let alone third-party app stores. Unfortunately, Trojans like the above can find ways into the official Android store, either by effectively hiding their info-stealing functionality or by introducing it through post-installation updates.
Whenever you are downloading something from the Play Store, check user reviews, consider the developer's details, visit their website, and generally try to evaluate if the app is looking legit or not. Do not grant permissions willy-nilly, and always keep your phone up to date and protected with a mobile security solution from a trusty vendor.