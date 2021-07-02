



Mateusz Slodkowski / SOPA Images / LightRocket via Getty Images

Google launched nine Android apps that have been downloaded more than 5.8 million times from its Play Marketplace after researchers said they used a sneaky method to steal users’ Facebook login credentials. did.

According to a post published by security company Dr.Web, in order to win the trust of users and relax their vigilance, the app is for photo editing and framing, exercise and training, horoscope, and removal of junk files from Android devices. Provided a fully functional service. .. All identified apps provided users with the option to log in to their Facebook account and disable in-app advertising. Users who selected this option were presented with a real Facebook login form that included fields for entering their username and password.

Next, Dr. As a web researcher wrote:

These Trojans used a special mechanism to trick the victims. After receiving the required settings from one of the C & C servers at startup, I loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Then I loaded the JavaScript I received from the C & C server into the same WebView. This script was used directly to hijack the login credentials entered. The JavaScript then used methods provided through the JavascriptInterface annotation to pass the stolen login and password to the Trojan application, which forwarded the data to the attacker’s C & C server. After the victim logged in to his account, the Trojan also stole cookies from the current authentication session. These cookies were also sent to cyber criminals.

Analysis of the malicious program revealed that it had received all the settings for Facebook account login and password stealing. However, an attacker could easily change the Trojan’s settings and order it to load another legitimate service web page. You can also use the completely fake login form on phishing sites. Therefore, the Trojan may have been used to steal logins and passwords from any service.

Dr. Web

Researchers have identified five malware variants hidden within the app. Three of them were native Android apps and the other two used the Googles Flutter framework designed for cross-platform compatibility. Dr. Web said that he uses the same configuration file format and the same JavaScript code to steal user data, so he classifies them all as the same Trojan.

Dr. Web identified the variant as follows:

Most of the downloads were for an app called PIP Photo that was accessed over 5.8 million times. The next highest reach app is Processing Photo, which has over 500,000 downloads. The rest of the apps are:

A search on Google Play reveals that all apps have been removed from Play. A Google spokesman also said the company has banned developers of all nine apps from the store. That is, they will not be allowed to submit new apps. That’s correct for Google, but it’s still a minimal hurdle for developers, as they can sign up for a new developer account under a different name for a one-time fee of $ 25.

Anyone who downloads any of the above apps should thoroughly inspect their device and Facebook account for signs of infringement. It’s also not a bad idea to download a free Android antivirus app from a known security company and scan for additional malicious apps. The offer from Malwarebytes is my favorite.

Sources 1/ https://Google.com/ 2/ https://arstechnica.com/gadgets/2021/07/google-boots-google-play-apps-for-stealing-users-facebook-passwords/

