Play Store delists nine apps spreading Facebook credential-stealing Chinese Trojan
What's the story
In yet another instance highlighting how easy it is to fall prey to cybercriminals and trojans, Google has just delisted nine apps from the Play Store when they were found to be stealing users' Facebook login credentials. The applications described as "stealer Trojans" had many thousand installs and one of the delisted apps had been installed over five million times. Here are more details.
What's a Trojan?
Trojan malware appears like legitimate software, harbor criminal/malicious intent
Antivirus software provider Kaspersky defines a Trojan as a type of malware disguised as legitimate software. Usually, Trojans don't perform any malicious activity but install critical malicious modules for cybercriminals who can affect your devices in many ways. The name "Trojan" is derived from the ancient story of the Greek Trojan horse packed with soldiers that let the Greeks conquer the city of Troy.
Which apps?
Applications sought victim's Facebook login to remove in-app advertisements
The nine malicious apps were identified by Dr.Web. The applications accompanied by their download count are PIP Photo (5.8+ million), Processing Photo (500,000+), Rubbish Cleaner and Horoscope Daily (100,000+ each), App Lock Keep (50,000+), Lockit Master (5,000+), Horoscope Pi (1,000), and App Lock Manager. The applications perform legitimate functions and behave normally, except for the Facebook login option that allegedly removes in-app ads.
Classic Trojan attack
Genuine WebView login page piggybacked by malicious JavaScript component
When users fell for the trap and chose to disable ads, they were greeted with a Facebook login page but with a twist. Interestingly, the genuine Facebook login page opened in WebView but a malicious Javascript component was also loaded in the background to capture the entered credentials. After victims unwittingly logged into Facebook, the Trojan also stole cookies from the current authorization sessions.
Not just Facebook
Malicious Trojan logged data in Chinese, suggesting potential Chinese origin
In a blog post, Dr.Web explained that the attackers were capturing Facebook login data but the technique could be used to steal login credentials for any service they please. Notably, a malicious Trojan called Android.PWS.Facebook.15 bundled with these apps logs data in Chinese, which could hint at its possible origin. Variations of this Trojan have also been reported earlier.
Countermeasures
If you've used the delisted apps, immediately change Facebook password
If you have any of the aforementioned apps installed, we would recommend that you immediately uninstall them and change your Facebook password. It also helps to enable two-factor authentication on Facebook. Ars Technica reported that the developers of the nine delisted applications have been banned from submitting any new applications to the Play Store. However, that doesn't mean the threat has been eliminated completely.
Nothing’s foolproof
The now-delisted malicious applications continue to live on the internet
Delisted and paid applications can still be downloaded by unsuspecting victims via app aggregator websites such as APKPure and third-party app stores like ACMarket. Moreover, the blacklisted developers can always re-apply using a different name for listing apps on the Play Store by paying Google a one-time fee of $25. In such scenarios, it's essential that you preemptively identify potential malware.
Red flag
Developers seeking credentials to disable monetized advertisements could monetize credentials
In-app advertisements are a revenue stream for app developers. Advertisers pay them so you can continue using the app for free, albeit with intermittent ads. Most legitimate developers offer a one-time in-app purchase for transitioning to an ad-free experience. However, we think that when developers seek login credentials to stop showing you ads, it's almost as though they stand to monetize your credentials.