Russian antivirus firm Dr. Web reported last Thursday, July 1, it had discovered 10 Android apps that had embedded malware, allowing those apps to steal Facebook logins and passwords. Nine of these were directly available on the Play Store while one had been removed prior to their report but was still available on “software aggregator websites.”

While the Play Store is not generally known for having very strict app filtering processes, especially compared to Apple’s App Store, what’s alarming is that these 10 apps had been downloaded about 5.8 million times. It was only after Dr. Web made the report to Google that the trojan apps were weeded out.

Of the 10 apps, the image editing program “PIP Photo,” by developer Lillians, was downloaded 5 million times. It contained the malware Android.PWS.Facebook.17 and Android.PWS.Facebook.18.

Here are the nine other apps named by Dr. Web:

1. Photo-editing software “Processing Photo” by developer chikumburahamilton – 500,000 downloads
2. Access manager “App Lock Keep” by Sheralaw Rence – 50,000 downloads
3. Access manager “App Lock Manager” by implummet col – 10,000 downloads
4. Access manager “Lockit Master” by Enali mchicolo – 5,000 downloads
5. Performance optimizer “Rubbish Cleaner” by SNT.rbcl – 100,000 downloads
6. Astrology program “Horoscope Daily” by HscopeDaily momo – 100,000 downloads
7. Astrology program “Horoscope Pi” by Talleyr Shauna – more than 1,000 downloads
8. Fitness program “Inwell Fitness” by Reuben Germaine – 100,000 downloads
9. EditorPhotoPip – removed from Play Store prior to Dr. Web report

While they may be gone from the Play Store, users should check if they have these apps installed to eliminate the chance of these apps stealing their Facebook credentials.

Dr. Web

The apps phished for credentials by prompting users to log into the app using Facebook in order to access all of the apps’ functions and to disable in-app ads. The app then steals the credentials the user puts in.

Dr. Web said that the apps were also fully functional, and indeed contained ads to encourage victims to log in.

Dr. Web also noted that the Facebook log-in form, shown below, to which victims were led were genuine. But the trojan app also loads another layer on the form that hijacks the credentials, which it then transfers to the hacker’s server.

The hackers could also control the app remotely, and possibly launch a fake phishing page to acquire log-ins to other online services aside from Facebook.

Dr. Web noted the apps had the ability to output the data into the log in Chinese, possibly hinting at the app’s origin.

These findings again serve as warnings for users to not easily trust apps even if they’re on the official app store. Check who the developer is, and check what the reviews are saying. That one of the apps was able to reach 5,000,000 downloads means trending apps could also possibly carry malware. – Rappler.com