Google specialists removed nine applications from the Google Play Store, downloaded 5,856,010 times, as these applications were caught stealing credentials from Facebook. Malvar was discovered by researchers from Doctor Web, and they write that these stealing Trojans were distributed under the guise of harmless programs.
In total, experts identified 10 such malicious applications, 9 of which were present on Google Play at the time of detection:
- Photo editor Processing Photo (detected by Doctor Web as PWS.Facebook.13 ). It was distributed by developer chikumburahamilton and has been installed over 500,000 times.
- App Lock Keep apps by Sheralaw Rence, App Lock Manager by Implummet col and Lockit Master by Enali mchicolo (detected as PWS.Facebook.13 ), allowing you to configure access restrictions to Android devices and the software installed on them. They were downloaded at least 50,000, 10 and 5,000 times, respectively.
- utility for optimizing the operation of Android devices Rubbish Cleaner from the developer SNT.rbcl with over 100,000 downloads (detected as PWS.Facebook.13 ).
- Astrological programs Horoscope Daily from developer HscopeDaily momo and Horoscope Pi from developer Talleyr Shauna (detected as PWS.Facebook.13 ). The first has been installed over 100,000 times, the second more than 1,000 times.
- fitness program Inwell Fitness (detected as PWS.Facebook.14 ) from developer Reuben Germaine, which has been installed over 100,000 times.
- PIP Photo image editor distributed by developer Lillians. Different versions of this program are detected as PWS.Facebook.17 and Android.PWS.Facebook.18 . This app has over 5,000,000 downloads.
During the study of these malicious programs, an earlier modification of them was discovered, spreading through Google Play under the guise of the EditorPhotoPip photo editor. It has already been removed from the catalog, but is still available on application aggregator sites. It was added to the company’s virus base as Android.PWS.Facebook.15 .
All applications were fully functional, which should have weakened the vigilance of potential victims. At the same time, to access all their functions, as well as supposedly to disable ads, users were asked to log into their Facebook account. Advertising inside some applications was indeed present, and this technique was intended to additionally induce the owners of Android devices to perform the action required by the attackers.
The analysis showed that all applications received settings to steal logins and passwords from Facebook accounts. However, cybercriminals could easily change their parameters and command to load a page of some other legitimate service, or even use a completely fake login form posted on a phishing site. Thus, Trojans could be used to steal logins and passwords from any services.