Photo by Lionel Bonaventure ( Getty Images)Google has removed nine Android apps totaling more than 5.8million combined downloads from its Play Store. Researchers discovered that they contained malicious code designed to steal Facebook login credentials. According to Dr. Web.AdvertisementArs Technica reported that these trojan apps looked and functioned like legitimate services such as photo editing, exercise, clearing out storage space, and providing daily Horoscopes. Dr. Webs malware analysts stated this in a blog post this week. This was a clever trick to trick users into sharing their Facebook passwords and usernames.The scheme was as follows: Users were given the option to access all functions of the app and remove in-app ads by logging into Facebook. This would not raise eyebrows, since many mobile services allow you to sync your social media accounts. After selecting this option, the apps would load a genuine Facebook login page that allows users to enter usernames and passwords. The hackers would use the information that users enter into these forms to control a server called a command and control server. Dr. Researchers wrote:To trick their victims, these trojans used a unique mechanism. After receiving the settings from the C&C server upon launch, they loaded the authentic Facebook page https://www.facebook.com/login.php to WebView. Next, they loaded jаvascript from the C&C server to the same WebView. This script was used to steal the login credentials. Using the jаvascriptInterface annotation methods, this jаvascript passed the stolen password and login details to the trojan apps, who then sent the data to the C&C server. The trojans stole cookies from the current authorization session after the victim logged in to their account. These cookies were also sent out to cybercriminals.Ten trojan apps were discovered by the analysts, nine of them previously available on Google Play Store. Two apps that posed as photo editing software were downloaded the most: Processing Photo (with over 5 million installations) and PIP Photo (with over 500,000). Other apps had over 100,000 downloads.You should update your Facebook login information immediately after downloading any of these apps. Also, make sure to check your other online accounts for suspicious activity.Processing PhotoPIP PhotoRubbish CleanerKeep an app lockApp Lock ManagerLockit MasterHoroscope PiHoroscope DailyInwell FitnessFive malware variants were found in these apps by analysts: Android.PWS.Facebook.13 and Android.PWS.Facebook.14 and Android.PWS.Facebook.15. These are native to Android apps and Android.PWS.Facebook.17, and Android.PWS.Facebook.18. They use Google's Flutter framework for cross-platform compatibility. Dr. Web classifies them all as one trojan.AdvertisementThese nine apps are no longer listed in Play Store search results. Ars Technica was informed by a Google spokesperson that these developers were also banned. They are now prohibited from creating new apps.
