9 Trojan Apps With 5.8 Million Downloads Discovered on Play Store

  • A new batch of nine trojan apps for Android with millions of downloads has been discovered.
  • The apps were deploying ways to convince users to log in with their Facebook account.
  • The actors then stole the credentials and either sold them to others or used them to take over accounts.

Researchers at Doctor Web’s have discovered ten malicious trojan apps that steal Facebook credentials, nine of which were available on the Google Play Store, Android’s official app space. In total, the trojans were downloaded more than 5.85 million times, so they have already reached a very wide audience. Dr. Web has reported this to Google, and several of these apps have since been removed, but not all of them.

Here are the apps that are hiding the info-stealing functionality behind something else:

  • Processing Photo
  • App Lock Keep
  • Rubish Cleaner
  • Horoscope Daily
  • Horoscope Pi
  • App Lock Manager
  • Lockit Master
  • Inwell Fitness
  • PIP Photo

The front-facing functionality of these apps was complete so as not to raise any alarms to the victims. In all cases, the apps asked the user to login to it by using their Facebook account, which is considered normal in general. To further convince the users to log in to their Facebook account, the apps delivered ads that they promised to disable if the victim registered on the platform through social media.

Source: Dr. Web

Obviously, whatever credentials entered on the login forms go directly to the C&C controlled by the actors who then take control of the Facebook accounts or sell the stolen usernames and passwords to others. In most cases, the victim wouldn’t realize the trickery until it was too late.

It goes without saying that if you happen to have any of the above apps installed on your device, you should remove it immediately, run a complete AV scan to unearth any remaining files, and then reset your Facebook account password.

This is a perfect example of why users shouldn’t blindly trust the Play Store, let alone third-party app stores. Unfortunately, Trojans like the above can find ways into the official Android store, either by effectively hiding their info-stealing functionality or by introducing it through post-installation updates.

Whenever you are downloading something from the Play Store, check user reviews, consider the developer’s details, visit their website, and generally try to evaluate if the app is looking legit or not. Do not grant permissions willy-nilly, and always keep your phone up to date and protected with a mobile security solution from a trusty vendor.

REVIEW OVERVIEW

Latest

Is It Okay to Charge iPhone 13, Mini, Pro, or Pro Max Overnight?

Without any doubt, there are plenty of misconceptions about charging iOS devices. That’s even more true now since this year’s iPhones have the...

Is It Okay to Play Games While Charging iPhone 13? 

The iOS App Store offers more than one million games. Your options are practically limitless, with console-like games taking full advantage of iPhone 13’s...

Is It Bad to Use iPhone 13 While Charging? 

The latest iPhone generation comes with the longest battery life yet, managing to provide up to 2.5 extra hours of use. With that said,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari