Malicious apps don't look malicious. In fact, they may look appealing, convincing, and very legitimate.
This time and again, researchers found that Google Play Store is still a safe haven for malware-ridden Android apps. As found by security firm Dr. Web, 9 malicious apps provide fully-functioning services for photo editing and framing, exercise and training, horoscopes, and even removal of junk files from Android devices. The apps seem to be very capable and powerful.
However, the apps are powered by ads. And if users want to use the apps without ads, they have to log in into their Facebook accounts.
In this is where the apps go malicious.
Behind their backs, the apps can steal users' username and passwords combination.
The apps can also steal cookies.
The apps steal users' credentials by connecting to their Command and Control servers upon launch, and to then load a legitimate Facebook web page at https://www.facebook.com/login.php, which is put into a WebView.
However, the apps will then load a JavaScript received from the their Command and Control servers, and inject the codes into the same WebView.
This way, the apps can record and steal whatever users enter in the fields.
After the victim logged into their account, the trojans can also steal cookies from the victims' current authorization session. Those cookies were also sent to the malicious actors behind the apps.
The analysis by Dr. Web found that all of the 9 malicious apps receive settings for stealing logins and passwords of Facebook accounts.
Making things worse, the page that can be rendered in the WebView is interchangeable, meaning that the malicious actors can easily change the trojan's settings to lead unsuspecting users to any legitimate service they wish.
In other words, the apps can be used to steal login credentials from any service.
The list of apps are as follows:
- PIP Photo (>5,000,000 installs).
- Processing Photo (>500,000 installs).
- Rubbish Cleaner (>100,000 installs).
- Horoscope Daily (>100,000 installs).
- Inwell Fitness (>100,000 installs).
- App Lock Keep (50,000 installs).
- Lockit Master (5,000 installs).
- Horoscope Pi (>1,000 installs).
- App Lock Manager (10 installs).
Fortunately, Google removed the 9 Android apps, which have a combined download of more than 5.8 million times from the company's Play Store.
"The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With that, to access all of the apps' functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts," researchers from Dr. Web said.
"The advertisements inside some of the apps were indeed present, and this maneuver was intended to further encourage Android device owners to perform the required actions."
The removal of the apps comes days after Google announced enhanced measures for the Play Store, in which it requires developer accounts to turn on 2-Step Verification, provide an address, and verify their contact details as part of its ongoing efforts to combat scams and fraudulent developer accounts.