Trend Micro researchers reported detecting more than 200 apps on the Google Play Store infected with malware that specializes in stealing login information.
They also report the existence of around 40 malicious apps that target cryptocurrency users.
Spyware that specializes in stealing Facebook credentials
In July 2021, Dr.Web already reported the existence of Facestealer, a spyware whose main objective is to steal the Facebook credentials of the users of the applications on which it hides. Malware still active therefore, since Trend Micro researchers have detected more than 200 applications previously present on the Google Play Store which contained it. In their paper, the researchers indicate that, like Joker, another malware that haunts Google’s app store, Facestealer’s code changes regularly, which can make it difficult to detect.
Here, the spyware was found in several types of applications: VPNs (42), photo editing software (13), cameras (20) or even fitness apps. As soon as the user launches the infected application, he is prompted to log in using his Facebook account. The malware then launches a WebView to load a web page into which it injects JavaScript code to steal user credentials. Hackers then use this data to conduct phishing campaigns, create fake posts or create advertising bots on the social network.
Trend Micro named some of the infected apps:
- Daily Fitness OL
- Enjoy Photo Editor
- Panorama Camera
- Photo Gaming Puzzle
- Swarm Photo
- Business Meta Manager
Cryptocurrency users increasingly targeted by hackers
In addition to Facestealer, Trend Micro also claims to have found more than 40 fake cryptocurrency mining apps. This is not the first time that the company’s researchers have made this kind of discovery. Indeed, in 2021, they were already reporting the existence of similar applications. But, where previously they tried to trick users into subscribing to paid services or clicking on advertisements, these new versions go further.
One of them, “Cryptomining Farm Your own Coin”, only serves to redirect users to a website, where they are asked to log into their wallet and enter their private keys under the guise of mining crypto. -currencies. If the site says private keys won’t be stored, that’s obviously wrong. The researchers detected that these were sent and stored in the clear on the servers of the malicious actors. The site also steals users’ passphrases, allowing them to take control of their wallets.
All of these apps have since been removed from the Google Play Store. If any of the described behavior resembles that of an application that you have downloaded, check if it is still present on the Play Store and delete it from your phone.
On the same subject :
Beware of malware hidden in PDF files available via Google
Sources: The Hacker News, Trend Micro
10