Google has given the boot to nine Android apps downloaded more than 5.8 million times from the company’s Play marketplace after researchers said these apps used a sneaky way to steal users’ Facebook login credentials.
In a bid to win users’ trust and lower their guard, the apps provided fully functioning services for photo editing and framing, exercise and training, horoscopes, and removal of junk files from Android devices, according to a post published by security firm Dr. Web. All of the identified apps offered users an option to disable in-app ads by logging into their Facebook accounts. Users who chose the option saw a genuine Facebook login form containing fields for entering usernames and passwords.
Then, as Dr. Web researchers wrote:
Analysis of the malicious programs showed that they all received settings for stealing logins and passwords of Facebook accounts. However, the attackers could have easily changed the trojans’ settings and commanded them to load the web page of another legitimate service. They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service.
Dr. Web identified the variants as:
The majority of the downloads were for an app called PIP Photo, which was accessed more than 5.8 million times. The app with the next greatest reach was Processing Photo, with more than 500,000 downloads. The remaining apps were:
- Rubbish Cleaner: more than 100,000 downloads
- Inwell Fitness: more than 100,000 downloads
- Horoscope Daily: more than 100,000 downloads
- App Lock Keep: more than 50,000 downloads
- Lockit Master: more than 5,000 downloads
- Horoscope Pi: 1,000 downloads
- App Lock Manager: 10 downloads
A search of Google Play shows that all apps have been removed from Play. A Google spokesman said that the company has also banned the developers of all nine apps from the store, meaning they will not be allowed to submit new apps. That’s the right thing for Google to do, but it nonetheless poses only a minimal hurdle for the developers because they can simply sign up for a new developer account under a different name for a one-time fee of $25.
Anyone who has downloaded one of the above apps should thoroughly examine their device and their Facebook accounts for any signs of compromise. Downloading a free Android antivirus app from a known security firm and scanning for additional malicious apps isn’t a bad idea, either. The offering from Malwarebytes is my favorite.