Google removed an app that had more than 100,000 downloads from its Play Store after security researchers reported that the app in question was capable of harvesting users’ Facebook credentials.
Researchers from French mobile security company Pradeo said the app contained a malicious Trojan known as “Facestealer”. This encourages its future victims to enter their Facebook identifiers on a web page, before it transmits them to the server of the group of pirates, located on a domain registered in Russia. “Our research shows that this domain has been used for seven years, intermittently, and that it has been connected to multiple mobile applications which were available on Google Play for a while and then deleted”, argue the French researchers.
If a user adds their credentials, the creators of the Android app can then have full access to victims’ Facebook accounts, including payment information linked to the account, as well as users’ conversations and searches. , Pradeo researchers say. “The app mimics the behavior of legitimate photo editing apps. In fact, it was injected with a small piece of code that easily slips under the radar of store saves,” the French company says in a blog post.
An application downloaded 100,000 times
The application, dubbed “Craftsart Cartoon Photo Tools”, has until now presented itself as a tool allowing its users to “transform amazing images from real cameras into paintings and cartoons” thanks to advanced artificial intelligence. powered by machine learning. “To reach a wide audience and conceal its illegal activities, it mimics the behaviors of popular photo editing apps. In reality, it was injected with short lines of code that easily go unnoticed during store security checks,” Pradeo teams explain.
“We have alerted the Google Play team of our discovery and we advise users of this application to delete it immediately”, specify the latter.
Still, the facade didn’t take long to be questioned by users themselves, who had detected issues with the app and criticized it accordingly, validating the importance for users to always read the reviews before installing an application.
The Play Store is not immune
“Totally false. The way the publicity was done seems helpful. Then check out just a few filter effects for any photo,” one app user wrote in March. “No caricatures anywhere. Don’t download,” another user criticized. Once users open the fake photo-editing app, it opens a Facebook login page that asks them to identify themselves before they can use the app. The credentials are then passed to the application owner’s server.
While Google encourages Android users to only install apps from its app store, research has already shown that malicious apps can find their way everywhere, including to the Google Play store.
This is not the first time that Pradeo has spotted malicious apps. In December, the French company had already sounded the alarm about the Joker malware, distributed on the Play Store and installed by more than 500,000 users. This rogue app attempted to scam users by offering premium mobile services and unwanted advertisements.