IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google shuts down Play Store apps for stealing Facebook credentials

The nine malicious Android apps boast nearly six million downloads collectively

Google has removed a handful of malicious apps available on its flagship Play Store that have been identified as stealing users’ Facebook usernames and passwords.

There are nine such apps that have been installed almost six million available on the flagship Android app store, according to researchers with Doctor Web, alongside a tenth Trojan-loaded app of the same kind.

The most popular of these applications, uncovered by Doctor Web’s specialists, is a photo editing software called PIP Photo, which was installed more than five million times.

Apps that allowed access limitations for using other software included App Lock Key, App Lock Manager, and Lockit Master, which were collectively downloaded roughly 65,000 times. Also identified are Rubbish Cleaner, which optimised device performance, Horoscope Daily, and Inwell Fitness. 

All of the apps are fully functional and do exactly what they purport to, although they ask users to log in using their Facebook credentials to disable in-app ads. 

After receiving the necessary settings from one of the command and control (C&C) servers, the apps load a legitimate Facebook web page into WebView. This is then replaced with JavaScript received from the C&C server, which is used to hijack the credentials being entered. The apps then beam these credentials to the C&C server. 

Doctor Web claims that upon reporting these apps to Google, some have been removed but a handful remain available for download at the time the firm published its report. 

Related Resource

Owning your own access security

The key to building strong cloud security and avoiding the risk of vendor lock-in

Whitepaper front coverDownload now

These malicious apps serve as a reminder for the propensity of Google’s flagship Play Store to often be found to be hosting malware disguised as legitimate software. 

Last year, for example, researchers identified thousands of apps embedded with Mandrake spyware, which remained undetected for four years. This is alongside researches also finding six apps loaded with Joker fleeceware.

To rectify these issues, Google only last week announced that from later this year developers must provide a number of personal details, as well as adopt two-factor authentication (2FA) for logging into their accounts.

When creating a new account, developers must supply an email address and a phone number, in addition to a contact name and physical address. They’ll also be required to state whether their accounts are personal or professional.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022