Google has yanked nine apps from its Play Store after learning that they were part of a scheme to trick users out of their Facebook passwords.
The Android apps were good enough to fool a lot of users: They had been downloaded over 5.8 million times, so a significant amount of Facebook account credentials may have leaked. And all the apps were functional at what they claimed to do, from offering daily horoscopes to adding virtual picture frames to images.
It’s a reminder to us all: Check twice before downloading an app even from a typically trustworthy source like the Google Play Store.
How the Scam Worked
Malware analysts at Dr. Web discovered the trojan apps. They appeared in the Play Store like any other app.
But, once downloaded, the apps would tell users that they wouldn’t be able to access all the app’s features or be able to stop in-app ad pop-ups without connecting their Facebook accounts. The Facebook login page, however, was a fake that instead collected the users’ login information. Granted, the process was a little more complicated than that:
“These trojans used a special mechanism to trick their victims,” Dr. Web explained. “After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to highjack the entered login credentials.”
The JavaScript then passed along the stolen data to the trojan applications, which transferred it to the attackers’ C&C server, along with the cookies from the Facebook authorization session. Here’s what one of the trojan apps looked like in the Store:
One of the now-removed apps
We’ve added the full list of the trojan apps below. If they’re familar to you, you’ll want to change your Facebook password now.
- PIP Photo
- Processing Photo
- Rubbish Cleaner
- Inwell Fitness
- Horoscope Daily
- App Lock Keep
- Lockit Master
- Horoscope Pi
- App Lock manager
The first two on the list, PIP Photo and Processing Photo, were the most popular — Each one was downloaded over 500,000 times.
Staying Safe
Google has now removed all nine apps from the store and has banned the publishers behind them as well.
Still, it’s a good bet that more trojan apps will pop up in the future. And the facts behind this case — apps that are functional and that offer realistic Facebook login pages — indicate that the scammers are getting more sophisticated in their attempts to trick users out of personal information.
The easiest solution to keep your own information secure is to avoid downloading apps that don’t come from a source you recognize. Pruning out any apps you don’t use on a regular basis helps too, by reducing the number of potential weaknesses.
Finally, a few applications for online security may help — a secure VPN won’t hurt, but the best software for avoiding malicious password-stealing attempts will be a password manager. Many top password manager options will flag a suspicious login page, saving you from adding your private details to the next long list of stolen data.