Posted on March 23, 2022 at 6:29 PM

Researchers Warn About Malware App That Disguises As A Photo Editor On Play Store

An app with password-stealing malware has been discovered on the Google Play Store. According to the report, the app disguises itself as a photo editing tool but was designed to steal passwords from targeted devices. the app has already been downloaded more than 100,000 times on the Google Play Store.

While the app continues its malware mission, it also provides users with a lot of cartoon filters, enabling them to post a cartoonish version of their photos on their social media platforms.

It was supposed to be a mere harmless photo editing app from the Play Store, but it turned out to be a password-stealing app that looks genuine.

Most apps found on the Google Play store are considered genuine by users because the platform goes through a screening process that deletes dangerous apps immediately. However, in some cases, the platform may fail to detect a bad app that uses sophisticated techniques to hide its true intentions.

The Malicious App Comes With Facestealer Android Threat

Cybersecurity researchers stated that there is a “small piece of malicious code that easily slips under the radar of the store’s safeguards.” This enables the threat actors to register the malware spreading app on the Play Store.

The researchers pointed out that the malicious photo editing app also has an Android threat known as Facestealer, which has been listed on the Play Store through genuine and harmless apps.

In a recent analysis by cybersecurity firm Malwarebytes, the app requires its users to fulfill certain requests before they gain access to their devices. It asks the users that want to use the photo-editing features of the app to first log into their Facebook account.

After the user may have logged into their Facebook account to access the malicious photo editing app, the JavaScript proceeds to steal the login credentials, which includes the email and password.

Afterward, the malware directs the victim, providing access to the victim’s account and allowing the trojan to steal various information from the victim’s Facebook accounts.

This information includes payment details, message conversations, phone numbers, email addresses, as well as IP addresses.

The Malicious App May Be Available On Other Stores

Although the cartoon photo editing app has been deleted from the Google Play Store, it may still be available for download on other app stores. As a result, researchers are providing details of the app’s exploit to enable users to easily discover their operational methods and prevent them from becoming the next victims.

A security researcher at Jamf, Michal Rajčan, stated that when the users enter their credentials, the app automatically sends them to a command and control server of the threat actor.

Additionally, the malicious app, after sending information to the C2 server, will connect to www.dozenorms[.]club URL [VirusTotal], where they can send further data. The address has also been utilized in the past for the promotion of other malicious FaceStealer Android apps.

According to the report by Predeo, the distributor and author of the apps seem to have automated the repackaging process and planted small malicious codes into the legitimate app.

It enables the apps to pass through the vetting and checking process of the Play Store without causing any suspicion. Once the users open the app, no functionality is displayed, not until they log into their Facebook account.

But after the users have succeeded in login into the app, it provides limited functionality via uploads to the online editor http://color.photofuneditor.com/,which then applies a graphics filter to the photo.

Afterward, the new image is shown in the app, allowing the user to download it or send it to their friends. Just as a lot of apps make it compulsory for users to log into a server such as Facebook to access their platform, this malicious app has taken advantage of it as well.

Many users have now taken the login prompt as normalcy, which is making them more vulnerable to a wide range of malicious apps. In most cases, once they are directed to the Facebook page, they input their login credentials without any suspicious. And through this way, the malicious apps acquire the users’ login details, plant malware in the process, and steal very important information.

Security researchers have warned people to be very cautious of the cartoonifer apps and watch carefully while installing apps that require them to log into their Facebook accounts.