Google dumped nine Android apps from its Play Store with a total of more than 5.8 million downloads after researchers discovered they contained malicious code used to steal users’ Facebook credentials, according to the Russian antivirus software company Dr. Web.
As reported by Ars Technica, tThese Trojan horse apps are designed to look and work like legitimate services for photo editing, exercising, clearing up space on your device, and providing daily horoscopes, Dr. Web’s Malware analysts said in An entry in this week. In reality, this was all an elaborate front to get users to share their Facebook usernames and passwords.
Here’s how the scheme worked: Each of these apps gave users the ability to Unlock all functions of the apps and Get rid of in-app ads by logging into their Facebook accounts, which probably wouldn’t raise too many eyebrows as many mobile services allow you to sync your social media accounts. If this option is selected, the apps would then be loaded a legitimate Facebook login page with fields for entering usernames and passwords. Whatever users typed into these forms would go straight to a computer controlled by the hackers, a so-called command-and-control server, via cleverly hidden malicious code, the researchers from Dr. Web:
The analysts Detected a total of 10 malicious Trojan apps, nine of which were previously available on the Google Play Store. Two apps masquerading as photo editing services accounted for by far the most downloads: PIP Photo with over 5 million installations and Processing Photo with over 500,000. Three other apps each had more than 100,000 downloads.
If you’ve downloaded any of the apps listed below, you should immediately update your Facebook credentials and check your other online accounts for fraudulent activity:
- Process photo
- PIP photo
- Garbage cleaner
- Keep app lock
- App lock manager
- Lockit master
- Horoscope more
- Daily horoscope
- Inwell Fitness
Analysts identified five malware variants hidden in these apps: Android.PWS.Facebook.13, Android.PWS.Facebook.14, and Android.PWS.Facebook.15, which are native Android apps, and Android.PWS.Facebook .17 and Android.PWS.Facebook.18, which use Google’s Flutter framework designed for cross-platform compatibility. Because they all use almost identical methods, codes, and file formats to steal user data, Dr. Web all five as the same trojan.
All nine of these apps no longer appear in the Play Store search results. A Google spokesman told Ars Technica that the developers of these apps were also banned and thus prohibited from submitting new apps.