After researchers discovered that these apps were able to steal Facebook login credentials, Google has removed nine Android apps from its Play marketplace.According to Dr., the apps were designed to gain trust and reduce users' guards and provide fully functioning services such as photo editing and framing and exercise, training and horoscopes and removing junk files from Android phones. Web. All the apps identified offered users the option to disable in app ads by logging into Facebook. The authentic Facebook login page was displayed to users who selected this option. It contained fields for entering usernames or passwords.As Dr. The Web researchers wrote:To trick their victims, these trojans used a unique mechanism. After receiving the settings from the C&C server upon launch, they loaded the authentic Facebook page https://www.facebook.com/login.php to WebView. Next, they loaded jаvascript from the C&C server to the same WebView. This script was used to steal the login credentials. Using the jаvascriptInterface annotation methods, this jаvascript passed the stolen password and login details to the trojan apps, who then sent the data to the C&C server. The trojans stole cookies from the current authorization session after the victim logged in to their account. These cookies were also sent out to cybercriminals. Analysing the malicious programs revealed that all of them received settings to steal logins and passwords from Facebook accounts. The attackers could have changed the trojans settings to command them to load a legitimate website. Even phishing sites could have provided a fake login form. The trojans could have been used for stealing logins and passwords from any website.Five malware variants were found in the apps by researchers. The malware variants were found in three native Android apps and two using Google's Flutter framework. This is designed to be cross-platform compatible. Dr. Dr. Web stated that all trojans are the same trojan, as they use the identical jаvascript code and configuration files to steal user data.AdvertisementDr. Dr.Most of the downloads were for PIP Photo which was downloaded more than 5 million times. Processing Photo was the app with the second-highest download count, with over 500,000. The rest of the apps were:Google Play searches show that all the apps have been removed. A Google spokesperson stated that all developers of the nine apps have been removed from Google Play. This means they won't be permitted to create new apps. Although it is the right thing to do by Google, developers will still be able to sign up for a developer account under a different name and pay $25 for it.Anyone who downloaded any of these apps should carefully examine their device as well as their Facebook accounts to see if there are any indications of compromise. It is a good idea to download an Android antivirus app from a trusted security company and scan for malicious apps. Malwarebytes' offering is my favorite.
