Facebook data-stealing malware detected on Google Play Store

Android users are in danger again: downloaders on Google Play spread malware that steals Facebook passwords

A new variant of Android virus^[1] was detected on Google Play Store. It uses social engineering techniques to trick users into downloading malicious apps. Malware targets English and Vietnamese users and aims to steal their Facebook login details.

Security firm Avast^[2] detected multiple downloaders that pretended to be entertainment and lifestyle apps, such as voice recorders or chess games. Once installed, these apps triggered the installation of further malicious apps that perform other malicious activities.

Fortunately, these applications were removed from Google Play and developer accounts were blocked. However, it’s unknown how many people may have suffered from this Android malware. Researchers suspect that this Android malware origins from Vietnam because malicious apps use the name of popular applications in this region.

Malicious apps ask for the admin rights

Malicious apps managed to bypass Google security^[3] because the downloaders that uploaded to the store do not have malicious features. They are designed to download malicious components and run illegal tasks as soon as they are installed on the Android smartphone.

The main suspicious activity is that malicious apps require admin rights. However, if users do not give them, the app starts displaying fake Google Play service errors. Crooks designed a legit-looking dialogue window which is delivered when a user tries to open any apps. The message tells:

Service error!
Google Play services has been
disabled by the system or a
third party.
Please enable to avoid unwanted
bugs!

Clicking “Activate” button on the pop-up, users are asked to “Activate device administrator,” meaning giving the malicious app permission to get full access to the device. The crash alerts preventing from accessing needed application are annoying. Thus, there’s no doubt that sooner or later users give malware what it wants.

Android malware steals location details and Facebook credentials

When Android virus gets access to the affected device, it informs malware command and control server about a successful task. Then it checks and sends device ID, location (IP address), language, mobile operator, and display parameters.

Additionally, malicious apps can perform click-fraud^[4] activities. Avast research tells that apps include a couple of advertising platforms. However, they can not only deliver ads or video ads but trick user into clicking them or clicking on behalf of a victim.

However, the most important task is stealing Facebook credentials. Malware continues to be a Google Play service notification that alerts about issues with user’s Facebook account and asks to log in again. Therefore, users give criminals their login details and password without realizing it.

Crooks do not use a fake Facebook page. Victims actually see a real Facebook login page. However, victims access the page via a malicious app which can inject JavaScript code into the legit page. Thus, when users enter their credentials, the dangerous app can easily collect them.

Facebook accounts can be sold and used for advertising purposes

What happens when criminals get access to your account? They can add or confirm friends, comment, like or share content, and perform other regular user’s activities. The point of this activity is that these accounts can be sold to businesses that want to get more user’s engagement or even increase sales.

Compromised real people accounts are valuable in the market because they are not likely to be flagged as fake ones and banned from the social network.^[5] Thus, if you were hit by this Android malware, you should immediately change all your passwords (not only Facebook’s) as soon as you wipe out malware from your smartphone.