Android apps installed 5.8 million times are stealing Facebook users passwords

Google specialists removed nine applications from the Google Play Store, downloaded in sum 5,856,010 times, as these applications were stealing passwords and credentials of Facebook users.

Researchers from Doctor Web discovered the malwares, and they write that these stealing Trojans were distributed under the mask of harmless programs.

In total, experts identified 10 malicious applications, 9 of which were present on Google Play at the time of detection:

• Photo editor Processing Photo. It was distributed by developer chikumburahamilton and has been installed over 500,000 times.
• App Lock Keep apps by Sheralaw Rence, App Lock Manager by Implummet col and Lockit Master by Enali mchicolo, which allow you to configure restriction of access to Android devices and the software installed on them. They were downloaded at least 50,000, 10 and 5,000 times, respectively.
• A utility for optimizing the operation of Android devices Rubbish Cleaner from the developer SNT.rbcl with over 100,000 downloads.
• Horoscope Daily astrological programs from the developer HscopeDaily momo and Horoscope Pi from the developer Talleyr Shauna. The first has been installed over 100,000 times, the second more than 1,000 times.
• Inwell Fitness fitness program from developer Reuben Germaine, which has been installed over 100,000 times.
• PIP Photo image editor distributed by developer Lillians. This app has over 5,000,000 downloads.

During the study of these malicious programs, an earlier modification of them was discovered, spreading through Google Play under the guise of the EditorPhotoPip photo editor. It has already been removed from the catalogue, but is still available on application aggregator sites.

These applications can be considered modifications of the same Trojan, as they use the same configuration file format and the same JavaScript scripts to steal data, experts say.

All applications were fully functional, which should have weakened the vigilance of potential victims. At the same time, to access all their functions, as well as supposedly to disable ads, users were asked to log into their Facebook account. Advertising inside some applications was indeed present, and this technique was intended to additionally induce the owners of Android devices to perform the action required by the cybercriminals.

As has already been said, the Facebook login form demonstration was real. The point is that Trojans used a special mechanism to deceive their victims. Having received the necessary settings from one of the control servers after launch, they loaded the legitimate page of the social network (https://www.facebook.com/login.php) into the WebView.

The same WebView was loaded with JavaScript received from the attacker’s server, which directly intercepted the authorization data entered. Then this JavaScript, using the methods provided through the JavascriptInterface annotation, passed the stolen login and password to the Trojan applications, after which they sent them to the attackers’ server. After the victim logged into his account, the Trojans additionally stole the cookies of the current authorization session, which were also sent to the criminals.

The analysis showed that all applications received settings to steal usernames and passwords from Facebook accounts. However, cybercriminals could easily change their parameters and command to load a page of some other legitimate service, or even use a completely fake login form posted on a phishing site. Thus, Trojans could be used to steal logins and passwords from any services.

Let me remind you that we talked about the fact that 306 vulnerabilities were found in popular Android applications, and only 18 of them received patches.