Android Apps Stealing Login Credentials Removed from Play Store

After discovering that nine Android Apps, including one with millions of users, were collecting users’ Facebook Inc. login credentials, Google LLC deleted them from the Play store. The programs, dubbed “stealer Trojans,” were discovered and disclosed on July 1 by malware specialists at Dr. Web. They were distributed as harmless software and were installed nearly 6 million times.

Unlike earlier instances of malicious Android Apps being detected, the apps, in this case, all provided legitimate services such as photo editing and framing, exercise and training, horoscopes, and junk file cleanup. For example, PIP Photo had up to 5 million downloads, Processing Photo had up to 500,000 downloads, Rubbish Cleaner, Horoscope Daily, and Inwell Fitness had up to 100,000 downloads, and App Lock Keep had up to 50,000 downloads. The list was completed by Lockit Master, Horoscope Pi, and App Lock Manager.

Users were given the option to deactivate in-app adverts by connecting to their Facebook account across all apps. When app users choose the choice, they were provided with a regular Facebook login screen. Still, with one difference: the genuine Facebook login page was displayed in WebView, with JavaScript loaded to intercept the entered login credentials.

When users input their Facebook login credentials, the JavaScript will transfer them to the attacker’s command-and-control server, leaving the users in the dark. The Trojan also stole cookies from the current authorization sessions when the victims logged into their accounts. Google has yet to provide a public remark regarding the apps. However, the apps have been pulled from the store, according to Ars Technica. The developers of the apps have also been banned, according to a Google spokeswoman.