A whole bunch of apps have been removed from the Google Play Store because… well, they were stealing user’s Facebook passwords. The nine apps, the most downloaded of which saw more than 5 million people at risk, used quite an unusual tactic to secure those passwords — they asked for them.
Before you go thinking that this is the users’ fault, it’s not. The apps in question offers users the chance to disable ads if they logged in with their Facebook accounts. The login page for Facebook was genuine, but then…
Playing with the Play Store
Then, the apps got up to some trickery. Researchers over at Dr. Web, who spotted the malicious software, explain that upon “…receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView.”
“This script was directly used to hijack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.”
They went on to explain that this method could have been used to steal login and password info from any service, correctly deployed. There were five different malware versions found across the nine Google Play Store apps, all of which have since been removed. All of the developers responsible for these apps have also been banned outright, but that doesn’t mean they won’t be back under new names and with new details and apps at their command.
The most-downloaded app was PIP Photo, with more than 5 million downloads. Processing Photo had more than 500,000 downloads, Horoscope Daily, Inkwell Fitness and Rubbish Cleaner each had more than 100,000 downloads apiece, while App Lock Keep had more than 50,000 downloads. Here it drops off, with App Lock Manager, Horoscope Pi and Lockit Master accounting for less than 10,000 downloads altogether. App Lock Manager was a relatively early entry — it was downloaded from the Play Store fewer than ten times.