Recently, according to foreign media reports, Google recently announced the removal of 9 Android applications from the Play Store, including an Android application that has been downloaded more than 5.8 million times. The reason is that these apps are stealing Facebook’s certificates.
According to a post published by the security company Dr.Web, in order to win the trust of users and reduce their vigilance, these applications provide users with full-featured services, including photo editing and color picking, exercise and training. , Horoscope, and remove junk files on Android devices.
Although most programs did achieve the expected functions, they also carried out malicious behaviors. These applications have a feature at runtime, that is, they need to provide users with the option to log in to their Facebook account to disable ads in the application. Users who choose this option will see a real Facebook login form with fields for entering username and password. And when we log in, it means that the Facebook account and password have been stolen by the developers of these malicious programs.
According to the researcher, “These Trojans use a special mechanism to deceive their victims. After receiving the necessary settings from a CC server at startup, they send the legitimate Facebook page https://www.facebook.com /login.php is loaded into the WebView. Next, they load the JavaScript received from the CC server into the same WebView. The script is directly used to hijack the entered login credentials. After that, the JavaScript uses the JavascriptInterface annotation provided The method passes the stolen login name and password to the Trojan horse application. The Trojan horse application transmits the data to the attacker’s CC server. After the victim logs in to their account, the Trojan horse also steals cookies from the current authorized session. These cookies It was also sent to cybercriminals.”
And this practice has existed earlier. At this time last year, Google had also cleaned up 25 Android applications, and its practice was very similar. When an official application is launched on the user’s mobile phone, a piece of code will be activated, and the malicious application will launch a browser to load a fake login page on top of the official application. When the user enters their detailed information, the information content will be registered by the malicious application and sent to the remote server.
The software that was deleted this time has a surprisingly downloaded application-PIP Photo, which has been downloaded more than 5.8 million times. Next is Processing Photo, which has been downloaded more than 500,000 times. The list of several other apps is as follows: Rubbish Cleaner: over 100,000 downloads; nwell Fitness: over 100,000 downloads; Horoscope Daily: over 100,000 downloads; App Lock Keep: over 50,000 downloads; Lockit Master: over 5000 downloads; Horoscope Pi: 1000 downloads; App Lock Manager: 10 downloads.
Although I don’t know how these applications evaded Google’s inspection here, users should pay more attention when using the application in the future. The loss of the Facebook account may affect your entire network and social life.