Google has removed nine apps from its Play store after researchers showed that they sneakily stole users’ Facebook login credentials. The apps were hidden under names that sounded like everyday utility tools and apps. These include Rubbish Cleaner and Horoscope Daily. According to a report, the malicious apps had approximately 5.9 million combined downloads on the Google Play store — with PIP Photo alone having 5.8 million downloads — and had five different variants of malware. Google had earlier removed three apps meant for children over privacy violations.
Dr. Web, an antivirus service, reports that their malware analysts discovered nine malicious apps – Processing Photo, App Lock Keep, Rubbish Cleaner, Horoscope Daily, Horoscope Pi, App Lock Manager, Lockit Master, Inwell Fitness, and PIP Photo. These apps reportedly acted as trojan malware and stole users’ Facebook login credentials after providing users the options to disable ads by logging in via their social media accounts. Dr. Web’s report was spotted by Ars Technica.
These apps tricked users by showing an exact replica of Facebook’s login page. The apps instead loaded a JavaScript command that stole their login credentials. The apps also apparently stole browser cookies from the authorisation session. There were a total of malware variants and all of them reportedly used an identical JavaScript code to steal user data. The report also noted that out of the malware variants, three were native Android apps, and two were created using Google’s Flutter SDK.
The malware variants identified by Dr. Web are Android.PWS.Facebook.13, Android.PWS.Facebook.14, Android.PWS.Facebook.15, Android.PWS.Facebook.17, and Android.PWS.Facebook.18.
A Google spokesperson told Ars Technica that they had also banned the app developers of all of the nine apps from Google Play store, which would stop these developer accounts from publishing any new apps on the marketplace. This is a positive step by Google, but a new developer account, under a different name, can be created with a nominal fee of $25 (roughly Rs. 1,900).
Users are advised not to download any app from an unknown developer, regardless of how many downloads the app might have. In this case, PIP Photo had the maximum downloads at 5.8 million, followed by Processing Photo at 500,000 downloads. Anyone who has downloaded these apps should thoroughly examine their device and Facebook account for suspicious activities.