Android apps with over 5.8 million downloads caught stealing users’ Facebook passwords

Android apps with over 5.8 million downloads caught stealing users’ Facebook passwords
Representational image.Unsplash
  • Most of these trojan apps offered photo editing and app lock features.
  • These apps asked users to sign in with Facebook to unlock features and disable in-app advertisements.
  • If you used these apps and logged in with your Facebook account, you may want to change your passwords now.
Google has been emphasising its work on improving Android security with various measures over the past few years, but there’s still a lot left to be done. A new research report has revealed that Android apps with over 5.8 million downloads on the Google Play store have been caught stealing users’ Facebook passwords.

Security firm Doctor Web has published a report that identifies these 9 trojan apps which offered photo editing and app lock features. All these apps were found on the Google Play store, amassing nearly 6 million downloads amongst themselves.

The report goes on to add that Google had only removed some of these apps from the Play store, as of July 1, 2021, when the report went live.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More
PIP Photo app was the most downloaded among these apps, with 5 million downloads of its own.

How did these apps steal Facebook passwords?

All the apps mentioned in the report offered real features, causing the unsuspecting users to trust them. They even allowed users to unlock more features and disable in-app advertisements by logging into their Facebook accounts.

These apps exploited the widespread use of Google and Facebook login – something that is offered by many apps and games – to steal passwords of unsuspecting users.

The research firm describes the exploit mechanism below:

“After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page into WebView.

Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials.

After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed the stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server.

After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.”

Here are the trojan apps mentioned in the report

If you have any of these apps installed on your phone, you may want to uninstall them:

  1. PIP Photo
  2. Processing Photo
  3. Rubbish Cleaner
  4. Horoscope Daily
  5. App Lock Keep
  6. Lockit Master
  7. Horoscope Pi
  8. App Lock Manager
  9. Inwell Fitness
As of July 5, Google has removed all of these apps from the Play Store. In addition to this, according to an Arstechnica report, Google has also banned the developers of these apps, meaning they cannot submit any new apps.

In case you downloaded these apps and used the Facebook login option, it is recommended that you unauthorize these apps from your Facebook account and change your password.


A COVID-19 SMS malware is targeting users in India as they look for alternatives to CoWIN for vaccine registration

A fake coronavirus tracking app is actually ransomware that threatens to leak social media accounts and delete a phone's storage unless a victim pays $100 in bitcoin

Hackers are using these fake coronavirus maps to give people malware