SecneurX malware analysts have discovered malicious apps on Google Play store that steals Facebook username and password. SecneurX’s specialists have reported these apps and their Indicators of Compromise (IOC) to The Google Play and Android Security Team and the apps have been deleted from Google's Play store. As per our analysis, these malicious apps were installed by more than 150000 users.
About the malicious apps:
These malicious apps are general purpose apps that look and feel like any other app on the play store. Once you install these apps, they would prompt you with a tempting dialogue that, you can remove ads by Logging in to your Facebook ID. The app pops up the actual Facebook Login screen for you to enter the details. It would capture the key-strokes and steal your credentials. Attackers can then exploit that information to break into your account and attempt to steal identities and so on.
Package names:
Below are the list of package names of some apps that are currently removed from the play store.
com.piphoto.pipsapp
com.gzImgadd.imgedit
com.coolcall.callshow
com.userflash.flash_super
com.likefile.superfile
com.papalai.popularemoji
com.splicteout.photocolleger
com.frames.pip.framepip
com.image.education.photosynthesis
com.speederx.mars
com.shu.guangzhou.myablum
com.alabo.small.personals
com.sanheng.small.personals
com.sanheng.small.tiantuapp
Our Analysis:
When the malicious app is launched by the user, it displays the actual Facebook login screen as a popup as below, with a message to login, in order to disable ads.
The facebook login page looks genuine but is a phishing attack in reality. The malware uses malicious javascript to capture the keystrokes.
Lets see the working of these applications
Example : com.papalai.popularemoji - 9f8bc0c7103dd1eed20d8429f6bc36e1c24b63846527817d224c863bd12b7cac
Below are the malicious communications to C2 from this app.
\u8bf7\u6c42\u6210\u529f decode to 请求成功 > Request succeeded .This communication payload is the initial beacon to C2 server
The POST request body contains appID and the package name . Once the Facebook credentials are entered, it sends it to C2 server. This campaign has been active from Nov 2020 . We have also monitored variants of this malware that communicates over https requests to C2.
Indicators of Compromise
Verdict:
These apps does what it says, but tricks their user into revealing Facebook Login credentials.
Status:
These apps have been removed from Google Play store after SecneurX experts have reported them. But the campaign is still active. So, it is recommended that the user take at most precaution while login in to Facebook from other Android applications.