Google shuts down Play Store apps for stealing Facebook credentials
The nine malicious Android apps boast nearly six million downloads collectively
Google has removed a handful of malicious apps available on its flagship Play Store that have been identified as stealing users’ Facebook usernames and passwords.
There are nine such apps that have been installed almost six million available on the flagship Android app store, according to researchers with Doctor Web, alongside a tenth Trojan-loaded app of the same kind.
The most popular of these applications, uncovered by Doctor Web’s specialists, is a photo editing software called PIP Photo, which was installed more than five million times.
Apps that allowed access limitations for using other software included App Lock Key, App Lock Manager, and Lockit Master, which were collectively downloaded roughly 65,000 times. Also identified are Rubbish Cleaner, which optimised device performance, Horoscope Daily, and Inwell Fitness.
All of the apps are fully functional and do exactly what they purport to, although they ask users to log in using their Facebook credentials to disable in-app ads.
Doctor Web claims that upon reporting these apps to Google, some have been removed but a handful remain available for download at the time the firm published its report.
Owning your own access security
The key to building strong cloud security and avoiding the risk of vendor lock-inDownload now
These malicious apps serve as a reminder for the propensity of Google’s flagship Play Store to often be found to be hosting malware disguised as legitimate software.
Last year, for example, researchers identified thousands of apps embedded with Mandrake spyware, which remained undetected for four years. This is alongside researches also finding six apps loaded with Joker fleeceware.
To rectify these issues, Google only last week announced that from later this year developers must provide a number of personal details, as well as adopt two-factor authentication (2FA) for logging into their accounts.
When creating a new account, developers must supply an email address and a phone number, in addition to a contact name and physical address. They’ll also be required to state whether their accounts are personal or professional.
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device programFree download
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShiftFree download
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain securityFree download
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirementsFree download