Another major Android ecosystem hack has been detected, and it compromised users’ Facebook credentials fair and square. As scary as it sounds, the Trojan apps have been identified by Doctor Web’s malware analysts. Surprisingly these apps have a total of more than 5.8 million installs. After this shocking discovery, the nine apps in question have been removed from the Play Store. Out of these malicious apps, two were photo editing apps – PIP Photo and Processing Photo with over 5 million and 500,000 installs respectively!
Other apps identified with fraudulently stealing the Facebook login information of the unassuming users include Rubbish Cleaner, App Lock Keep, App Lock Manager, Lockit Master, Horoscope Pi, Horoscope Daily and Inwell Fitness. If you have any of these installed, immediately uninstall them and change your Facebook password.
These apps were disguised as genuine tools and gave the users the option to disable the in-app advertisements by logging into the Facebook profile. This is where the scam began as the users were presented with a very genuine looking Facebook login page.
The fake form page where the users entered their Facebook credentials went straight to the hackers using some smart trickery. This sensitive data is transferred to the attacker’s command and control server, where the hackers logged into the account and stole cookies from the authorization session.
The malware inside these apps was in five different variants, three of which are native to Android namely – Android.PWS.Facebook.13, Android.PWS.Facebook.14, and Android.PWS.Facebook.15. Others are the Android.PWS.Facebook.17 and Android.PWS.Facebook.18 which use the Google Flutter framework for cross-platform compatibility
If that isn’t enough, the sensitive information is also sent to cybercriminals who can use the information for serious hacking consequences. Even though the damage has been done, still the hackers could have created similar fake login forms for other services to complicate damage control efforts for the good guys.