Google has removed apps with 5.8 million downloads from the Play Store that were stealing users’ Facebook login details. Google has banned the developers of all nine apps from the store, meaning they will not be allowed to submit new apps. The malware apps offered useful services like photo editing and framing, exercise and training, horoscopes and removal of unwanted files from Android devices. These malicious apps got their way around users’ Facebook credentials by offering an option to disable in-app ads if they logged in from their Facebook accounts.
These Android apps included:
- Rubbish cleaner
- Processing Photo
- Inwell Fitness,
- Horoscope Daily
- App Lock Keep,
- Lockit Master
- Horoscope Pi
- Pip Photo
- App lock Manager
The apps tricked users by loading the real Facebook sign-in page, only to load JavaScript from a command and control server to “hijack” credentials and pass them along to the app (and thus the command server). They would also steal cookies from the authorization session. Facebook was the target in each case, but the creators could just have easily steered users toward other internet services. There were five malware variants in the mix, but all of them used the same JavaScript code and configuration file formats to swipe information.