On Thursday, July 1st, analysts from security firm Dr. Web uncovered ten Android apps that contained hidden trojans. Of these apps, nine were available on Google Play and had been downloaded almost 6 million times combined. The apps offered users the option to remove in-app ads by logging into their Facebook accounts. Users saw a genuine Facebook login form, but after entering their password, the information was stolen and threat actors now had access to the user’s account.
Dr. Web analysts said:
These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page (https://www.facebook.com/login.php) into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to highjack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.
Here’s the list of apps that were identified as containing the virus:
- Processing Photo by developer chikumburahamilton
- App Lock Keep by developer Sheralaw Rence
- App Lock Manager by developer Implummet col
- Lockit Master by developer Enali mchicolo
- Rubbish Cleaner by developer SNT.rbcl
- Horoscope Daily by developer HscopeDaily momo
- Horoscope Pi by developer Talleyr Shauna
- Inwell Fitness by developer Reuben Germaine
- PIP Photo by developer Lillians
