Google has kicked nine Android apps with more than 5.8 million combined downloads off its Play Store after researchers discovered they contained malicious code used to steal users’ Facebook login credentials, according to the Russian anti-virus software firm Dr. Web.
As reported by Ars Technica, these trojan apps were designed to look and function like legitimate services for photo editing, exercising, clearing up storage space on your device, and providing daily horoscopes, Dr. Web’s malware analysts said in a post this week. In reality, this was all elaborate front to trick users into sharing their Facebook usernames and passwords.
Here’s how the scheme worked: Each offered users an option to unlock all the apps’ functions and get rid of in-app ads by logging into their Facebook accounts, which likely wouldn’t raise too many eyebrows since a lot of mobile services let you sync your social media accounts. Upon choosing this option, the apps would then load a legitimate Facebook login page containing fields for entering usernames and passwords. Whatever users typed into these forms would go directly to a computer controlled by the hackers, called a command-and-control server, via some cleverly concealed malicious code, Dr. Web researchers wrote:
These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.
The analysts discovered 10 malicious trojan apps in total, nine of which were previously available on the Google Play Store. Two apps posing as photo editing services made up the most downloads by far: PIP Photo with over 5 million installations and Processing Photo with over 500,000. Three other apps had more than 100,000 downloads each.
If you downloaded any of the apps listed below, you should consider updating your Facebook login information immediately and check your other online accounts for fraudulent activity:
- Processing Photo
- PIP Photo
- Rubbish Cleaner
- App Lock Keep
- App Lock Manager
- Lockit Master
- Horoscope Pi
- Horoscope Daily
- Inwell Fitness
Analysts identified five malware variants hidden inside these apps: Android.PWS.Facebook.13, Android.PWS.Facebook.14, and Android.PWS.Facebook.15, which are native to Android apps, and Android.PWS.Facebook.17 and Android.PWS.Facebook.18, which use Google’s Flutter framework designed for cross-platform compatibility. Since they all use nearly identical methods, code, and file formats to steal user data, Dr. Web classifies all five as the same trojan.
All nine of these apps no longer appear in Play Store search results. A Google spokesperson told Ars Technica that the developers behind these apps have also been banned, thus prohibiting them from submitting new apps.