Google removed nine Android apps from its Play Store after they were caught stealing users’ Facebook credentials. The cumulative download count of the apps was 5.8 million times.
The apps were fully functional, which malware authors did on purpose to weaken the user’s vigilance when it came to identifying potential threats:
“The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With that, to access all of the apps’ functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts,” researchers from Dr. Web said. “The advertisements inside some of the apps were indeed present, and this maneuver was intended to further encourage Android device owners to perform the required actions.”
The apps posed as photo-editing, fitness, and astrology programs, tricking victims into entering their Facebook credentials which were siphoned to the malware operators.
The list of Android trojanized apps are as follows: PIP Photo (>5,000,000 installs), Processing Photo (>500,000 installs), Rubbish Cleaner (>100,000 installs), Horoscope Daily (>100,000 installs), Inwell Fitness (>100,000 installs), App Lock Keep (50,000 installs), Lockit Master (5,000 installs), Horoscope Pi (>1,000 installs), and App Lock Manager (10 installs).
Dr.Web detects them as Android.PWS.Facebook.13 – 18.
While it looks like this attack was designed to take advantage of Facebook’s platform, Dr. Web researchers warn it could have also been used to steal passwords from other legitimate web platforms.
Google recently introduced new measures that are designed to prevent developers from uploading such fake apps to Google Store. Among the measures are requiring developers to turn on 2-Step Verification (2SV), providing a physical address, and verifying their contact details.
Yet, users should always carefully study apps before downloading and installing them.