The research conducted by the Doctor Web malware analyst came across to some applications on Google Play Store that are stealing Facebook’s users login and passwords. These were stealer Trojans that was spread as harmless software. Google involved himself by removing those nine android applications out of ten which has been downloaded more than 5.6 millions from Google Play Store. However, at the time of the news release, some applications were still available for download in Google Play Store.

The researchers from Dr. Web said that, “The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With that, to access all of the apps’ functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts. The advertisements inside some of the apps were indeed present, and this maneuver was intended to further encourage Android device owners to perform the required actions.”

While this campaign appears which have set its sights on Facebook accounts, Dr. Web researchers cautioned that this attack could have been easily expanded to load the login page of any legitimate web platform with the goal of stealing login and passwords from a variety of services.

How the passwords were stolen?

All the applications mentioned in the report of Dr. Web real features that led the unsuspecting users to trust them. They even allowed users to unlock more features and turn off in-app advertising by logging into their Facebook accounts. They took advantage of widespread use of Google and Facebook login and had stolen passwords from unsuspecting users.

The researcher describes the exploitation, “After receiving the required settings from one of the C&C servers at startup, they loaded the legitimate Facebook website https://www.facebook.com/login.php into WebView.”

The applications had masked their malicious intent by disguising as photo-editing, optimizer, fitness, and astrology programs, only to trick victims into logging into their Facebook accounts and hijack the entered credentials via a piece of JavaScript code received from  the C&C server into the same WebView.

Then the JavaScript passes to the stolen login and passwords to those applications which has used the methods of JavaScript interface annotation which has transferred the data of the users to the attackers C&C server. When the users logged to their accounts the trojans applications also steal cookies and transfer those to criminals as well.

The Trojan Applications are as follows:

1. PIP photo
2. Process photo
3. Garbage cleaner
4. Daily horoscope
5. Keep app lock
6. Lockit master
7. Horoscope more
8. App lock manager
9. Inwell Fitness

Remediation

According to the report of Arstechnica, the developers are banned by the Google of those applications, which means they are no longer allowed to submit new applications.

The remediation suggested by the researchers to the users that if they have downloaded any of these applications and had used the Facebook login option are requested to disable or uninstall the applications from the Facebook account and simultaneously changes the password as well.

If you’ve downloaded these apps and used the Facebook sign-in option, it is recommended that you disable these apps from your Facebook account and change your password.