https://arstechnica.com/gadgets/2021/07/google-boots-google-play-apps-for-stealing-users-facebook-passwords/ Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe [ ] Close Navigate * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints Filter by topic * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Settings Front page layout Grid List Site theme Black on white White on black Sign in Comment activity Sign up or login to join the discussions! [ ] [ ] [Submit] [ ] Stay logged in | Having trouble? Sign up to comment and more Sign up SURPRISE -- Apps with 5.8 million Google Play downloads stole users' Facebook passwords Researchers uncovered 9 apps that used a sneaking method to pilfer credentials. Dan Goodin - Jul 2, 2021 9:00 pm UTC Apps with 5.8 million Google Play downloads stole users' Facebook passwords Enlarge Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images reader comments 114 with 80 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit Google has given the boot to nine Android apps downloaded more than 5.8 million times from the company's Play marketplace after researchers said these apps used a sneaky way to steal users' Facebook login credentials. In a bid to win users' trust and lower their guard, the apps provided fully functioning services for photo editing and framing, exercise and training, horoscopes, and removal of junk files from Android devices, according to a post published by security firm Dr. Web. All of the identified apps offered users an option to disable in-app ads by logging into their Facebook accounts. Users who chose the option saw a genuine Facebook login form containing fields for entering usernames and passwords. Then, as Dr. Web researchers wrote: These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers' C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals. Analysis of the malicious programs showed that they all received settings for stealing logins and passwords of Facebook accounts. However, the attackers could have easily changed the trojans' settings and commanded them to load the web page of another legitimate service. They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service. [malicious-android-apps-640x591] Enlarge Dr. Web The researchers identified five malware variants stashed inside the apps. Three of them were native Android apps, and the remaining two used Google's Flutter framework, which is designed for cross-platform compatibility. Dr. Web said that it classifies all of them as the same trojan because they use identical configuration file formats and identical JavaScript code to steal user data. Advertisement Dr. Web identified the variants as: * Android.PWS.Facebook.13 * Android.PWS.Facebook.14 * Android.PWS.Facebook.15 * Android.PWS.Facebook.17 * Android.PWS.Facebook.18 The majority of the downloads were for an app called PIP Photo, which was accessed more than 5.8 million times. The app with the next greatest reach was Processing Photo, with more than 500,000 downloads. The remaining apps were: * Rubbish Cleaner: more than 100,000 downloads * Inwell Fitness: more than 100,000 downloads * Horoscope Daily: more than 100,000 downloads * App Lock Keep: more than 50,000 downloads * Lockit Master: more than 5,000 downloads * Horoscope Pi: 1,000 downloads * App Lock Manager: 10 downloads A search of Google Play shows that all apps have been removed from Play. A Google spokesman said that the company has also banned the developers of all nine apps from the store, meaning they will not be allowed to submit new apps. That's the right thing for Google to do, but it nonetheless poses only a minimal hurdle for the developers because they can simply sign up for a new developer account under a different name for a one-time fee of $25. Anyone who has downloaded one of the above apps should thoroughly examine their device and their Facebook accounts for any signs of compromise. Downloading a free Android antivirus app from a known security firm and scanning for additional malicious apps isn't a bad idea, either. The offering from Malwarebytes is my favorite. reader comments 114 with 80 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement You must login or create an account to comment. Channel Ars Technica - Previous story Next story - Related Stories Today on Ars * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints Newsletter Signup Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up - CNMN Collection WIRED Media Group (c) 2021 Conde Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1 /20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices