This Is Bad: Apps With 5.8 Million Google Play Downloads Stole Users’ Facebook Passwords

I’ve said for years that the Google Play Store is a gong show as apps that have massive security issues keep ending up in the store to cause all sorts of havoc for Android users. And today I have another example of that. Google just punted a bunch of apps out of the Play Store that stole the login credentials for Facebook:

Google has given the boot to nine Android apps downloaded more than 5.8 million times from the company’s Play marketplace after researchers said these apps used a sneaky way to steal users’ Facebook login credentials. In a bid to win users’ trust and lower their guard, the apps provided fully functioning services for photo editing and framing, exercise and training, horoscopes, and removal of junk files from Android devices, according to a post published by security firm Dr. Web. All of the identified apps offered users an option to disable in-app ads by logging into their Facebook accounts. Users who chose the option saw a genuine Facebook login form containing fields for entering usernames and passwords. 

Then, as Dr. Web researchers wrote: “These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page… into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals. Analysis of the malicious programs showed that they all received settings for stealing logins and passwords of Facebook accounts. However, the attackers could have easily changed the trojans’ settings and commanded them to load the web page of another legitimate service. They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service.” 

The majority of the downloads were for an app called PIP Photo, which was accessed more than 5.8 million times. The app with the next greatest reach was Processing Photo, with more than 500,000 downloads. The remaining apps were: Rubbish Cleaner: more than 100,000 downloads; Inwell Fitness: more than 100,000 downloads; Horoscope Daily: more than 100,000 downloads; App Lock Keep: more than 50,000 downloads; Lockit Master: more than 5,000 downloads; Horoscope Pi: 1,000 downloads; and App Lock Manager: 10 downloads. A search of Google Play shows that all apps have been removed from Play.

Now you can say that Google did punt these apps. And to be fair they did. But these apps have been installed thousands of times, or in some cases hundreds of thousands of times. Which means that in some cases they were on the Play Store for a while. And that’s bad. You can also say that this happens on the Apple App Store. And it does. But not to the scale that it happens on the Google Play Store. That’s something that both companies need to improve.

Leave a Reply

%d bloggers like this: