Google has removed nine Android apps from its Play Store that have been downloaded more than 5.8 million times. These nine apps were found by researchers to be using an exploit to steal the Facebook login credentials of users.
The infected apps in question provided fully functioning services for photo editing and framing, exercise and training, horoscopes and removal of junk files from Android devices, respectively. Ars Technica reports that all of the apps offered users an option to disable in-app ads by logging into their Facebook accounts.
Users who accepted the in-app offer were taken to a genuine Facebook login form containing fields for usernames and passwords. At this point, the trojan malware within the apps would be activated.
Researchers from Dr. Web, who extensively investigated the trojan in question, said that after users put in their login information for the genuine Facebook page, their credentials would be hijacked.
The hijacked information would then, via JavaScript, be passed into the trojan within the app, which would then be transferred to the attackers’ C&C (command & control) server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.
Dr. Web‘s analysis of all the apps found that every one of them received settings for stealing logins and passwords of Facebook accounts. However, the trojans could have easily been used to steal information from any web page or service, and Facebook was seemingly an obvious lure.
Five malware variants were found stashed within the apps, say the researchers. Three of them were found in native Android apps, and the remaining two used Google’s Flutter framework, which is designed for cross-platform compatibility.
Each of the variants used the same kind of trojan virus to steal the information. Researchers found that each used identical configuration file formats and identical JavaScript code to steal user data.
Dr. Web identified the malware variants as:
The majority of the downloads were for an app called PIP Photo, which was accessed more than 5.8 million times.
The app with the next greatest amount of hits was Processing Photo, with more than 500,000 downloads. It is unknown how many users were actually affected by the data hack, but it is assumed to be in the hundreds of thousands, maybe even more.
The remaining apps affected were:
- Rubbish Cleaner: more than 100,000 downloads
- Inwell Fitness: more than 100,000 downloads
- Horoscope Daily: more than 100,000 downloads
- App Lock Keep: more than 50,000 downloads
- Lockit Master: more than 5,000 downloads
- Horoscope Pi: 1,000 downloads
- App Lock Manager: 10 downloads
All of the above apps, including PIP Photo and Processing Photo have all been removed from the Google Play Store. A Google spokesman said that the company has also banned the developers of all nine apps from the store, meaning they will not be allowed to submit new apps.
Any users who have used or are using the above-listed apps, and logged in to Facebook through the apps, should check their Facebook accounts and pages for any signs of compromise. There are also many different free antivirus software for Android devices that can be found online, including this free cleaner from Malwarebytes.
By Luis Monzon
Follow Luis Monzon on Twitter
Follow IT News Africa on Twitter
