Table of Contents
  • Home
  • /
  • Blog
  • /
  • 9 Android Apps Stealing Facebook Password Found On The Play Store!
July 5, 2021
|
5m

9 Android Apps Stealing Facebook Password Found On The Play Store!


9 Android Apps Stealing Facebook Password Found On The Play Store

Cybersecurity researchers discovered nine android apps stealing the Facebook passwords of their users. The apps were removed from the Play store in response to the password-stealing campaign. However, the users who downloaded the apps are still prone to the password-stealing campaign. 

Victim Of These Nine Apps Stealing Facebook Password:

The research didn’t reveal the attacks on any particular users belong to a specific geo location. However, It’s been said that more than 5,856,010 users have downloaded these apps stealing Facebook passwords from Google’s play store. 

List Of Apps Stealing Facebook Passwords On The Play Store:

Here are the nine apps Doctor Web found on the Play store. See your phone for these apps Immediately and remove them if installed. Most importantly, rest your Facebook password if you haven’t done it yet.

Fig #1: 9 apps stealing Facebook password

  • PIP Photo (>5,000,000 Downloads): An image editing app that was spread by the developer Lillians.

  • Processing Photo (>500,000 installs): A photo-editing software that was spread by the developer chikumburahamilton.

  • Rubbish Cleaner (>100,000 installs): A utility to optimize the Android device performance from the developer SNT.rbcl.

  • Horoscope Daily (>100,000 installs): An astrology program developed by HscopeDaily momo.

  • Inwell Fitness (>100,000 installs): A fitness program from the developer Reuben Germaine.

  • App Lock Keep (50,000 installs): A app developed by Sheralaw Rence.

  • App Lock Manager (10 installs): Developed by Implummet col.

  • Lockit Master (5,000 installs): Developed by Enali mchicolo.

  • Horoscope Pi (>1,000 installs): An astrology program developed by Talleyr Shauna.

How Do These Apps Steal Facebook Passwords?

Attackers have used Android’s play store to launch the password-stealing campaign. Password stealer trojans were used as a harmless application to steal the Facebook password.

Fig #2: Prompting Facebook login

  1. Authors have published the fully functional applications with the same Trojans, which have identical configuration file formats and identical JavaScript scripts to steal user data.

  2. That application was made to prompt Facebook login to access all of the app’s functions and disable in-app ads.

  3. If users agreed and clicked the Facebook login button, they saw the standard Facebook login form as shown.

  4. In fact, the apps have displayed a genuine login form. However, trojan in the app will get the necessary settings from the C&C servers immediately after launch. It loads the legitimate Facebook web page https://www.facebook.com/login.php into WebView along with the JavaScipt downloaded from the C2 servers into the same page.

  5. Attackers will use the same JavaScript to hijack the user-entered credentials. The script transfers the stolen credentials to the trojan applications, transferring the data to the attacker’s C2 server.

  6. After successful login to the Facebook account, the trojans will capture the session cookies from the current authorization session.

  7. Attackers have been targeted to steal the credentials of Facebook accounts. However, trojan settings are easily customizable to replace Facebook with any other legitimate web service or fake phishing site.

Fig #3: Loading Facebook login web form

Countermeasures:

When it comes to deal with any such password-stealing campaign, we would suggest you to do three basic things:

  1. Uninstall the applications from the device.

  2. Reset the web service password, Facebook in this case.

  3. Install a good premium anti malware solution to scan and remove the malwares.

Identified Indicator Of Compromise (IOC) Apps Stealing Facebook Password:

IOCs indicators of compromise. If you found any of these files on your Android device, which has the corresponding SHA-1 hash, take the countermeasures without delay. Additionally, if you notice your Android phone has communicated to these URLs at any point in time, it’s clear that your phone is compromised. The verification process needs some technical knowledge to check the file fingerprints and communication with the URLs. You can leave this section if you are not from a technical background. We feel it’s our duty to give the details as much as we can.

IOCs:

SHA-1Application namePackage namePackage versionDeveloper
d8f941f6a8dbda39a881ad2a1661e3227e3f8f18App Lock Keepcom.enab.lockkeep1.0.6Sheralaw Rence
8f30f3f176613dbc14aa29bfb3c952b6eb046da3Processing Photocom.pcnts.splicingpp1.2chikumburahamilton
de2ac7091b7c51d0b7e1e9c31d5e8d9aa863aa5cRubbish Cleanercom.snt.rubbishcleaner1.5.1SNT.rbcl
b2d07ac10bba9839fd8a0ccd7a7dcd08b508140bHoroscope Dailycom.cgi.ygk.iozwrku.izgzw1.0HscopeDaily momo
de93c1c7a0c03ecf79179d2296008f93f48fdcaaHoroscope Picom.iigxuq.xueqe.horoscopepi2.4.56Talleyr Shauna
d68717837c3b3ec7fd95a6b776ec96bef7344928App Lock Managercom.oimjqcnw.mngyz.kqhcrpy.xdrzs007.xyzImplummet col
5a3d2917fe987dea35d1aa4b089743d168a71415Lockit Mastercom.svbo.oypvn.otpl1.3Enali mchicolo
903fcfba98f32b00badcec5976a4b401b994be7eInwell Fitnesschv.jrd.axiyby.ojs.xevjo1.1Reuben Germaine
f7d6462d16e8c0c81634e8812ae1b19a59bede26EditorPhotoPipcom.viewedites.showimg1.1Laurense
2b931978aaee9e2a9d35b1f8bf35a9b89b74d2faPIP Photocom.piphoto.pipsapp1.1.0Lillians
8b0451ee56e8a5805b1c501d48066d2cb89e41a5PIP Photocom.piphoto.pipsapp

URLs:

data.applockkeep.xyzshop.vfgrl.comwap.inwellfitness.xyzcc.horoscopemagic.xyzmxi.applockmaster.xyzmm.superbrightflashlight.xyzwap.lockitmaster.xyzdata.horoscopedaily.xyz

IPs:

108.160.132.1545.32.110.28

Thanks for reading this post. Please share this post to all android users and create a awareness about the apps stealing Facebook password and this password stealing campaign.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Threats

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe