Page Loader
Play Store delists nine apps spreading Facebook credential-stealing Chinese Trojan
Google Play Store removes nine apps for harvesting Facebook login credentials using Chinese Trojan

Play Store delists nine apps spreading Facebook credential-stealing Chinese Trojan

Jul 05, 2021
10:05 pm

What's the story

In yet another instance highlighting how easy it is to fall prey to cybercriminals and trojans, Google has just delisted nine apps from the Play Store when they were found to be stealing users' Facebook login credentials. The applications described as "stealer Trojans" had many thousand installs and one of the delisted apps had been installed over five million times. Here are more details.

What's a Trojan?

Trojan malware appears like legitimate software, harbor criminal/malicious intent

Antivirus software provider Kaspersky defines a Trojan as a type of malware disguised as legitimate software. Usually, Trojans don't perform any malicious activity but install critical malicious modules for cybercriminals who can affect your devices in many ways. The name "Trojan" is derived from the ancient story of the Greek Trojan horse packed with soldiers that let the Greeks conquer the city of Troy.

Which apps?

Applications sought victim's Facebook login to remove in-app advertisements

The nine malicious apps were identified by Dr.Web. The applications accompanied by their download count are PIP Photo (5.8+ million), Processing Photo (500,000+), Rubbish Cleaner and Horoscope Daily (100,000+ each), App Lock Keep (50,000+), Lockit Master (5,000+), Horoscope Pi (1,000), and App Lock Manager. The applications perform legitimate functions and behave normally, except for the Facebook login option that allegedly removes in-app ads.

Classic Trojan attack

Genuine WebView login page piggybacked by malicious JavaScript component

When users fell for the trap and chose to disable ads, they were greeted with a Facebook login page but with a twist. Interestingly, the genuine Facebook login page opened in WebView but a malicious Javascript component was also loaded in the background to capture the entered credentials. After victims unwittingly logged into Facebook, the Trojan also stole cookies from the current authorization sessions.

Not just Facebook

Malicious Trojan logged data in Chinese, suggesting potential Chinese origin

In a blog post, Dr.Web explained that the attackers were capturing Facebook login data but the technique could be used to steal login credentials for any service they please. Notably, a malicious Trojan called Android.PWS.Facebook.15 bundled with these apps logs data in Chinese, which could hint at its possible origin. Variations of this Trojan have also been reported earlier.

Countermeasures

If you've used the delisted apps, immediately change Facebook password

If you have any of the aforementioned apps installed, we would recommend that you immediately uninstall them and change your Facebook password. It also helps to enable two-factor authentication on Facebook. Ars Technica reported that the developers of the nine delisted applications have been banned from submitting any new applications to the Play Store. However, that doesn't mean the threat has been eliminated completely.

Nothing’s foolproof

The now-delisted malicious applications continue to live on the internet

Delisted and paid applications can still be downloaded by unsuspecting victims via app aggregator websites such as APKPure and third-party app stores like ACMarket. Moreover, the blacklisted developers can always re-apply using a different name for listing apps on the Play Store by paying Google a one-time fee of $25. In such scenarios, it's essential that you preemptively identify potential malware.

Red flag

Developers seeking credentials to disable monetized advertisements could monetize credentials

In-app advertisements are a revenue stream for app developers. Advertisers pay them so you can continue using the app for free, albeit with intermittent ads. Most legitimate developers offer a one-time in-app purchase for transitioning to an ad-free experience. However, we think that when developers seek login credentials to stop showing you ads, it's almost as though they stand to monetize your credentials.