Posted on July 5, 2021 at 2:57 PM
Google Has Removed 9 Apps With Millions Of Downloads From Its Store
Google LLC has taken down nine Android apps discovered stealing users’ Facebook login details.
The apps, which include one with millions of downloads, were discovered on July 1 by malware analysts at Dr Web.
They are named ‘stealer Trojans” and were distributed as safe software. But, according to the analysts, there is nothing safe about the apps, as they contain malware.
All the apps offered legitimate service
Other apps discovered in the past do not provide any tangible service to the users. They are simply used to lure users to download, unknowingly installing the malware on their system.
But in this case, the apps recently discovered offer legitimate services such as junk file removal, horoscopes, training and exercise, photo editing, and other services.
Some of the apps also PIP Photo with about 5 million installs as well as Inwell Fitness and Horoscope Daily with about 100,000 installs.
The users were asked to log into their Facebook account to disable the in-app.
According to the analysts, the advertisements in some of the apps were intended to make android device owners carry out the required actions.
The app owners enabled such features to have a serious basis to convince Android users to download the app, thinking that it offers genuine service. But in the real sense, the main goal of the app is to plant malware into the users’ android devices.
When the App users choose the option to disable the in-app were shown a standard Facebook login page where they are asked to input their login details. The login page was shown in WebView as well as JavaScript to steal the entered password.
Any user who enters the password would have their accounts exposed as the app owners would use JavaScript to deliver the details to the user’s command-and-control server.
After the user logs into the account, the malware also steals cookies from the authorization sessions that are still open.
The threat actors can target users on other platforms
The threat actors behind the malicious app concentrated on Facebook account, but they can still target other users on other platforms.
The threat actors could have easily altered the trojan’s configuration and repositioned them to load another platform’s webpage.
They can also have applied an entirely bogus login form from a phishing site, which will make the Trojan capable of stealing login credentials from any source, the analysts pointed out.
Google has not yet made a public statement regarding the expulsion of the apps. But a Google spokesperson stated that apart from taking down the apps from the store, they have been completely banned as well.
The nine apps, according to the analysts, were downloaded over 5.8 million times from the Play marketplace.
PIP Photo is the most popular app among the nine deleted. It has more than 5 million downloads. Next is Processing Photo, with more than 500,000 downloads.
The other apps include HoroScope Pi, App Lock Keep, Horoscope Daily, Lockit Master, and App Lock Manager.
The analysis of the Trojans revealed that they all have a setting for stealing login details when the users enter their login details.
Users should be careful when downloading new apps
Five malware variants were discovered in the mix. However, they all used the same configuration file format and JavaScript code file formals to steal information.
Google said it has banned all the app developers from the store, but the threat actors could still create a new developer account to have access to the app. As a result, the social media giant may need to have a screening done for malware to protect users from the threat of bad actors.
However, what is bothering security researchers is how the apps were able to gather a massive number of downloads before Google discovered it. Google may have been carrying malware screening, which has helped to keep much malware out. However, some still manage to pass the screening test and defenses. With these issues, users have been advised to be careful when downloading any utility from largely unknown developers, even if they have raked a lot of users.
