Android apps installed 5.8 million times, stole passwords from Facebook users

Android apps installed 5.8 million times, stole passwords from Facebook users

Google specialists removed nine applications from the Google Play Store, downloaded 5,856,010 times, as these applications were caught stealing credentials from Facebook. Malvar was discovered by researchers from Doctor Web, and they write that these stealing Trojans were distributed under the guise of harmless programs.

Android apps installed 5.8 million times, stole passwords from Facebook users

In total, experts identified 10 such malicious applications, 9 of which were present on Google Play at the time of detection:

  • Photo editor Processing Photo (detected by Doctor Web as PWS.Facebook.13 ). It was distributed by developer chikumburahamilton and has been installed over 500,000 times.
  • App Lock Keep apps by Sheralaw Rence, App Lock Manager by Implummet col and Lockit Master by Enali mchicolo (detected as  PWS.Facebook.13 ), allowing you to configure access restrictions to Android devices and the software installed on them. They were downloaded at least 50,000, 10 and 5,000 times, respectively.
  • utility for optimizing the operation of Android devices Rubbish Cleaner from the developer SNT.rbcl with over 100,000 downloads (detected as  PWS.Facebook.13 ).
  • Astrological programs Horoscope Daily from developer HscopeDaily momo and Horoscope Pi from developer Talleyr Shauna (detected as PWS.Facebook.13 ). The first has been installed over 100,000 times, the second more than 1,000 times.
  • fitness program Inwell Fitness (detected as  PWS.Facebook.14 ) from developer Reuben Germaine, which has been installed over 100,000 times.
  • PIP Photo image editor distributed by developer Lillians. Different versions of this program are detected as PWS.Facebook.17 and Android.PWS.Facebook.18 . This app has over 5,000,000 downloads.
Trojans looked after launch

During the study of these malicious programs, an earlier modification of them was discovered, spreading through Google Play under the guise of the EditorPhotoPip photo editor. It has already been removed from the catalog, but is still available on application aggregator sites. It was added to the company’s virus base as  Android.PWS.Facebook.15 .

Android.PWS.Facebook.13, Android.PWS.Facebook.14 and Android.PWS.Facebook.15 are native Android apps, while Android.PWS.Facebook.17 and Android.PWS.Facebook.18 use the Flutter framework. designed for cross-platform development. Despite this, they can be considered modifications of the same Trojan, since they use the same configuration file format and the same JavaScript scripts to steal data, experts say.

All applications were fully functional, which should have weakened the vigilance of potential victims. At the same time, to access all their functions, as well as supposedly to disable ads, users were asked to log into their Facebook account. Advertising inside some applications was indeed present, and this technique was intended to additionally induce the owners of Android devices to perform the action required by the attackers.

Android apps installed 5.8 million times, stole passwords from Facebook users

That being said, the displayed Facebook login form was real. The fact is that Trojans used a special mechanism to deceive their victims. Having received the necessary settings from one of the control servers after launch, they loaded the legitimate social network page (https://www.facebook.com/login.php) into the WebView. The same WebView was loaded with JavaScript received from the attacker’s server, which directly intercepted the authorization data entered. Then this JavaScript, using the methods provided through the JavascriptInterface annotation, passed the stolen login and password to the Trojan applications, after which they sent them to the cybercriminals’ server. After the victim logged into his account, the Trojans additionally stole the cookies of the current authorization session, which were also sent to the criminals.

The analysis showed that all applications received settings to steal logins and passwords from Facebook accounts. However, cybercriminals could easily change their parameters and command to load a page of some other legitimate service, or even use a completely fake login form posted on a phishing site. Thus, Trojans could be used to steal logins and passwords from any services.

Related Posts