Pixelette Technologies

Facebook Passwords of Users are Stolen by Unknown Aapps

Nine apps on android play store exfiltrating user’s Facebook password
Google combating developers’ fraudulent activities on play store

Nine Android apps were removed from Google Play after hackers found they stole Facebook login credentials from users. The apps had been downloaded over 5.8 million times. One of them had over five million downloads!

Researchers from Dr. Web said:

“The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With that, to access all of the apps’ functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts. The advertisements inside some of the apps were indeed present, and this maneuver was intended to further encourage Android device owners to perform the required actions.”

In making their applications look like photo-editing, optimization, fitness, and astrology tools, the offending apps convinced users to enter their credentials into Facebook’s accounts, only to steal them by using a piece of JavaScript code received from an adversary-controlled server.

The list of apps is as follows:

  • PIP Photo (>5,000,000 installs)
  • Processing Photo (>500,000 installs)
  • Rubbish Cleaner (>100,000 installs)
  • Horoscope Daily (>100,000 installs)
  • Inwell Fitness (>100,000 installs)
  • App Lock Keep (50,000 installs)
  • Lockit Master (5,000 installs)
  • Horoscope Pi (>1,000 installs)
  • App Lock Manager (10 installs)

A trojanized application was used to exfiltrate the stolen information to the server in the last link of the attack.

Even though this particular campaign seemed to focus on Facebook accounts, Dr. Web researchers cautioned that this attack could have easily been taken in order to load any legitimate login page on any web platform and thereby steal login details and passwords for various services.

Google’s initiative to eliminate scams about Facebook password

Google released this disclosure just days after it announced new measures for the Play Store, including the requirement for developers to activate 2-Step Verification (Tokens), provide an address, and verify their contact details as part of its ongoing effort to combat scams and fraudulent developer accounts.

Even with the recent development, users should remember they are better served by installing apps from known and trusted developers, not to mention watching out for permission requests and reading other user reviews before installing any app

Leave a Comment

Your email address will not be published. Required fields are marked *

Recent Posts


Topic(s) Of Interest

Social Share

Share this post with your friends, if you found our content interesting.

× How can we help you?