On Thursday, July 1st, analysts from security firm Dr. Web uncovered ten Android apps that contained hidden trojans. Of these apps, nine were available on Google Play and had been downloaded almost 6 million times combined. The apps offered users the option to remove in-app ads by logging into their Facebook accounts. Users saw a genuine Facebook login form, but after entering their password, the information was stolen and threat actors now had access to the user’s account.
Dr. Web analysts said:
These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page (https://www.facebook.com/login.php) into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to highjack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.
Here’s the list of apps that were identified as containing the virus:
- Processing Photo by developer chikumburahamilton
- App Lock Keep by developer Sheralaw Rence
- App Lock Manager by developer Implummet col
- Lockit Master by developer Enali mchicolo
- Rubbish Cleaner by developer SNT.rbcl
- Horoscope Daily by developer HscopeDaily momo
- Horoscope Pi by developer Talleyr Shauna
- Inwell Fitness by developer Reuben Germaine
- PIP Photo by developer Lillians
Analyst Notes
A Google spokesman said that the company has removed all apps containing the virus, as well as banning the developers of the apps from the store so they cannot submit new apps. Any of these developers can sign up for a new developer account for $25 under a new name at any time, therefore it’s important to watch what you’re downloading. Only install apps from known, trusted developers and pay attention to what permissions you grant the app access to, as well as being cautious when logging into your accounts on other apps. Reviews can also give insight to apps and what other users have encountered, though this is not a guaranteed way to ensure app security. If you have installed any of the apps listed above, it is important that you examine your device and Facebook account for signs of compromise. It is recommended to change any Facebook account password that may have been entered in these apps and enable multi-factor authentication (MFA) if not already setup. It is important to note that if a malicious app steals the Facebook authentication tokens, that can be used to bypass MFA protections and take over an account anyway.
https://news.drweb.com/show/?i=14244&lng=en
