SecneurX Threat Analysis
Malicious Android Apps are stealing your Facebook Username and Password (Facestealer)
SecneurX malware analysts have discovered malicious apps on Google Play store that steals Facebook username and password. SecneurX’s specialists have reported these apps and their Indicators of Compromise (IOC) to The Google Play and Android Security Team and the apps have been deleted from Google's Play store. As per our analysis, these malicious apps were installed by more than 150000 users.
About the malicious apps:
These malicious apps are general purpose apps that look and feel like any other app on the play store. Once you install these apps, they would prompt you with a tempting dialogue that, you can remove ads by Logging in to your Facebook ID. The app pops up the actual Facebook Login screen for you to enter the details. It would capture the key-strokes and steal your credentials. Attackers can then exploit that information to break into your account and attempt to steal identities and so on.
Below are the list of package names of some apps that are currently removed from the play store.
com.piphoto.pipsapp com.gzImgadd.imgedit com.coolcall.callshow com.userflash.flash_super com.likefile.superfile com.papalai.popularemoji com.splicteout.photocolleger com.frames.pip.framepip com.image.education.photosynthesis com.speederx.mars com.shu.guangzhou.myablum com.alabo.small.personals com.sanheng.small.personals com.sanheng.small.tiantuapp
When the malicious app is launched by the user, it displays the actual Facebook login screen as a popup as below, with a message to login, in order to disable ads.
Lets see the working of these applications
Example : com.papalai.popularemoji - 9f8bc0c7103dd1eed20d8429f6bc36e1c24b63846527817d224c863bd12b7cac
Below are the malicious communications to C2 from this app.
\u8bf7\u6c42\u6210\u529f decode to 请求成功 > Request succeeded .This communication payload is the initial beacon to C2 server
The POST request body contains appID and the package name . Once the Facebook credentials are entered, it sends it to C2 server. This campaign has been active from Nov 2020 . We have also monitored variants of this malware that communicates over https requests to C2.
Indicators Of Compromise (IOC)
184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 data.horoscopepink.xyz data.horoscopepink.xyz wap.horoscopeplus.xyz wap.horoscopemagicx.xyz app.applockit.xyz data.applockkeep.xyz api.fitnesstrackerx.xyz api.adsrich.com api.bluefridayltd.com api.jlmjfyd.com comm.llfrgb0.top
These apps does what it says, but tricks their user into revealing Facebook Login credentials.
These apps have been removed from Google Play store after SecneurX experts have reported them. But the campaign is still active. So, it is recommended that the user take at most precaution while login in to Facebook from other Android applications.