Android Apps with 5.8 million Installs Caught Stealing Users’ Facebook Passwords

Jul 3, 2021 by iHash Leave a Comment

Google intervened to remove nine Android apps downloaded more than 5.8 million times from the company’s Play Store after the apps were caught furtively stealing users’ Facebook login credentials.

“The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With that, to access all of the apps’ functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts,” researchers from Dr. Web said. “The advertisements inside some of the apps were indeed present, and this maneuver was intended to further encourage Android device owners to perform the required actions.”

The offending apps masked their malicious intent by disguising as photo-editing, rubbish cleaner, fitness, and astrology programs, only to trick victims into logging into their Facebook account and hijack the entered credentials via a piece of JavaScript code received from an adversary-controlled server.

The list of apps are as follows –

PIP Photo (>5,000,000 installs)
Processing Photo (>500,000 installs)
Rubbish Cleaner (>100,000 installs)
Horoscope Daily (>100,000 installs)
Inwell Fitness (>100,000 installs)
App Lock Keep (50,000 installs)
Lockit Master (5,000 installs)
Horoscope Pi (>1,000 installs)
App Lock Manager (10 installs)

In the last link of the attack, the stolen information was exfiltrated to the server using the trojanized applications.

While this specific campaign appears to have set its sights on Facebook accounts, Dr. Web researchers cautioned that this attack could have been easily expanded to load the login page of any legitimate web service with the goal of stealing logins and passwords from any platform.

The latest disclosure comes days after Google announced new measures for the Play Store, including requiring developer accounts to turn on 2-Step Verification (2SV), provide an address, and verify their contact details as part of its ongoing efforts to combat scams and fraudulent developer accounts.

If anything, the development is yet another reminder that users are better off served by installing apps from known and trusted developers, watch out for permissions requested by the apps, as well as to pay attention to other user reviews prior to installation.

Source link

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

O’Reilly 2023 Tech Trends Report Reveals Growing Interest in Artificial Intelligence Topics, Driven by Generative AI Advancement

O’Reilly, a premier source for insight-driven learning on technology and business, announced the findings of its annual Technology Trends for 2023 report, which examines the most sought-after technology topics consumed by the 2.8 million users on O’Reilly’s online learning platform. Each year, this usage data reveals which technology tools are growing in popularity—and which are declining—giving business […]

Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites

Mar 24, 2023Ravie LakshmananWeb Security / WordPress Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on […]

Is Managed Prometheus Right For You

What is Prometheus? Prometheus is the de facto open-source solution for collecting and monitoring metrics data. Its straightforward architecture, operational reliability, minimal upfront cost, and versatility in integrating with cloud-native systems make it the preferred choice for many. Getting started is as simple as configuring the Prometheus server and setting simple parameters such as the […]

German and South Korean Agencies Warn of Kimsuky’s Expanding Cyber Attack Tactics

Mar 23, 2023Ravie LakshmananCyber Attack / Browser Security German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users’ Gmail inboxes. The joint advisory comes from Germany’s domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), […]

Leather AirTag Case – Black for $29

Expires March 20, 2123 19:21 PST Buy now and get 14% off KEY FEATURES It’s all about tracking, not exposing. VogDUO AirTag Leather Case provides the best protection from privacy and damages for your personal belongings. For your best interests, we recommend the users keep the AirTag from exposure. Thus, we use Premium Italian Leather […]

Leather AirTag Case – Tan for $29

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.2.0

Pangu has updated its jailbreak utility for iOS 9.0 to 9.0.2 with a fix for the manage storage bug and the latest version of Cydia. Change log V1.2.0 (2015-10-27) 1. Bundle latest Cydia with new Patcyh which fixed failure to open url scheme in MobileSafari 2. Fixed the bug that “preferences -> Storage&iCloud Usage -> […]

Apple Blocks Pangu Jailbreak Exploits With Release of iOS 9.1

Apple has blocked exploits used by the Pangu Jailbreak with the release of iOS 9.1. Pangu was able to jailbreak iOS 9.0 to 9.0.2; however, in Apple’s document on the security content of iOS 9.1, PanguTeam is credited with discovering two vulnerabilities that have been patched.

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.1.0

Pangu has released an update to its jailbreak utility for iOS 9 that improves its reliability and success rate. Change log V1.1.0 (2015-10-21) 1. Improve the success rate and reliability of jailbreak program for 64bit devices 2. Optimize backup process and improve jailbreak speed, and fix an issue that leads to fail to […]

Activator 1.9.6 Released With Support for iOS 9, 3D Touch

Ryan Petrich has released Activator 1.9.6, an update to the centralized gesture, button, and shortcut manager, that brings support for iOS 9 and 3D Touch.

The All-In-One Microsoft Office Professional for Windows 2021 & The Premium Microsoft Office Training Bundle for $69

Scrivener 3: Award-Winning App for Writers (Windows) for $29

Roomie Sophie Smart Body Scale with Free App for $32

Leather AirTag Case – Black for $29

Leather AirTag Case – Tan for $29

Android Apps with 5.8 million Installs Caught Stealing Users’ Facebook Passwords

The All-In-One Microsoft Office Professional for Windows 2021 & The Premium Microsoft Office Training Bundle for $69

Scrivener 3: Award-Winning App for Writers (Windows) for $29

Roomie Sophie Smart Body Scale with Free App for $32

Leather AirTag Case – Black for $29

Leather AirTag Case – Tan for $29

Share this:

Reader Interactions

Leave a Reply Cancel reply