Mateusz Slodkowski / SOPA Images / LightRocket via Getty Images

Google launched nine Android apps that have been downloaded more than 5.8 million times by companies Play Marketplace after researchers said these apps used a devious way to steal users’ Facebook credentials.

According to a. fully functional services for image editing and composition, exercises and training, horoscopes and removing junk files from Android devices post published by the security company Dr. Web. All apps identified offered users the option to opt out of in-app advertising by logging into their Facebook accounts. Users who chose this option saw a real Facebook login form with fields for entering usernames and passwords.

Then as Dr. Web researchers wrote:

These Trojans used a special mechanism to trick their victims. After receiving the required settings from one of the C&C servers at startup, they loaded the legitimate Facebook website https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was used directly to hijack the credentials entered. Then, using the methods provided by the JavascriptInterface annotation, this JavaScript passed stolen logins and passwords to the Trojan horse applications, which then transferred the data to the attacker’s C&C server. After the victim logged into their account, the Trojans also stole cookies from the current authorization session. These cookies have also been sent to cyber criminals.

The analysis of the malicious programs revealed that they received all settings for stealing logins and passwords from Facebook accounts. However, the attackers could easily have changed the Trojans’ settings and ordered them to load the website of another legitimate service. You could even have used a completely fake registration form that is on a phishing site. The Trojans could be used to steal logins and passwords from any service.

Dr. Web

The researchers identified five malware variants that were hidden in the apps. Three of them were native Android apps and the remaining two used Google’s Flutter framedesigned for cross-platform compatibility. Dr. Web said it classifies all of them as the same trojan because they use identical configuration file formats and identical JavaScript code to steal user data.

Dr. Web identified the variants as:

Most of the downloads were for an app called PIP photo, which has been viewed more than 5.8 million times. The app with the next largest reach was Process photo, with more than 500,000 downloads. The rest of the apps were:

A search on Google Play shows that all apps have been removed from Play. A Google spokesman said the company has also banned the developers of all nine apps from the store, which means they are not allowed to submit new apps. This is correct for Google, but it still poses a minimal hurdle for the developers, as they can simply sign up for a new developer account under a different name for a one-time fee of $ 25.

Anyone who has downloaded any of the above apps should thoroughly examine their device and Facebook accounts for any signs of compromise. It’s also not a bad idea to download a free Android antivirus app from a well-known security company and check for additional malicious apps. The Offered by Malwarebytes is my favorite.

Source link

Leave a Reply