Android malware, dubbed Facestealer, is rampant on the Play store
and has the unpleasant defect of taking over the account Facebook
of his victims.
Spyware, named Facestealer, has been discovered by several companies specializing in computer security in recent days, such as Pradeo or Malwarebytes Labs, after being installed by more than 100,000 users who fell into the trap while using the Google Play Store. . The malware uses social engineering to compromise users’ Facebook accounts. Let’s see what it is in detail.
Hackers were using a fake Facebook login screen to access the account from the fraudulent app
Distributed on Android via the Play Store, the Facestealer malware (code name Android/Trojan.Spy.Facestealer) was originally presented as a banal cartoon-type application, called “Craftsat Cartoon Photo Tools”, whose principle is simple: the user uploads an image or a photo, and the application is responsible for converting it into a cartoon image. A real trend among mobile users, which hackers do not hesitate to exploit.
As is often the case when you use a mobile application, it asks you to link your Facebook account to it, for example to obtain certain advantages. Sometimes it is mandatory to link the Facebook account to the application. This is when the malware does its thing. Except that the Facebook login page does not really come from the social network, but from hackers, who use a larger than life Facebook login screen to steal the user’s username and password.
So why take possession of the Facebook account(s) of the victims? Hackers use these accounts in different ways. They may send phishing links, spread false information using legitimate accounts, or commit fraud and other financial scams. In addition to the Facebook account, the hackers also seize elements such as the IP address of the device used by the victim, but also the information related to the credit card (if they have been entered), all the conversations, research and others.
The app, which has been installed over 100,000 times, was removed from the Play Store on March 22
This malicious app, which was removed from the Play Store on March 22, has been installed at least 100,000 times, so potentially tens of thousands of people around the world have fallen into Craftsart’s trap. To get through the cracks Android, hackers have injected a small piece of code that allows the application to live its life quietly on the Google application store, which we know is less restrictive from the point of view secure than its competitor the App Store.
According to Pradeo, who has done extensive work on this spyware, the Craftsart Cartoon Photo app “ establishes connections to a domain registered in Russia “. The company indicates that this domain has now been used for 7 years, but only intermittently. It is connected to several pirate mobile applications, which fortunately are now all removed from the Play Store.
Source: Pradeo
, Malwarebytes Labs
2