Apps With 5.8 Million Google Play Downloads Stole Users' Facebook Passwords

An anonymous reader quotes a report from Ars Technica: Google has given the boot to nine Android apps downloaded more than 5.8 million times from the company's Play marketplace after researchers said these apps used a sneaky way to steal users' Facebook login credentials. In a bid to win users' trust and lower their guard, the apps provided fully functioning services for photo editing and framing, exercise and training, horoscopes, and removal of junk files from Android devices, according to a post published by security firm Dr. Web. All of the identified apps offered users an option to disable in-app ads by logging into their Facebook accounts. Users who chose the option saw a genuine Facebook login form containing fields for entering usernames and passwords.

Then, as Dr. Web researchers wrote: "These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login... into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers' C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals. Analysis of the malicious programs showed that they all received settings for stealing logins and passwords of Facebook accounts. However, the attackers could have easily changed the trojans' settings and commanded them to load the web page of another legitimate service. They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service."

The majority of the downloads were for an app called PIP Photo, which was accessed more than 5.8 million times. The app with the next greatest reach was Processing Photo, with more than 500,000 downloads. The remaining apps were: Rubbish Cleaner: more than 100,000 downloads; Inwell Fitness: more than 100,000 downloads; Horoscope Daily: more than 100,000 downloads; App Lock Keep: more than 50,000 downloads; Lockit Master: more than 5,000 downloads; Horoscope Pi: 1,000 downloads; and App Lock Manager: 10 downloads. A search of Google Play shows that all apps have been removed from Play.

Missed by this much.

[Ostracus]

Whew! Good thing no one here uses Facebook. Right?

I keep wondering

[Rosco P. Coltrane]

What do criminals actually do with FB account credentials. What money is there in them?

I can see stealing the account of someone very prominent like a movie star or some high elected official can be of value. But those people aren't likely to download a horoscope app or edit their own selfies. Surely the FB accounts the perps got access to are those of ordinary people of next to no interest or influence to anybody outside their own little circle of friends.

Re:I keep wondering

[peterww]

It's a botnet. You collect the accounts en masse and then sell them on the dark web to the highest bidder. There's lots of things people want real Facebook accounts for. Astroturfing, stoking political dissent, paid fake reviews, spam; convincing "friends" that you're stuck in Chicago O'Hare, your wallet was stolen, and you need $200 fast.

OpenID

[aberglas]

A lot of people also use their Facebook account to log into other services.

Re:

[geekmux]

A lot of people also use their Facebook account to log into other services.

This.

Also highlights the utter stupidity of using Fuckbook creds anywhere outside of Fuckbook.

Re:

[Oligonicella]

Your last five words were unnecessary.

Re:

[geekmux]

...convincing "friends" that you're stuck in Chicago O'Hare, your wallet was stolen, and you need $200 fast.

And of course the texting generation who doesn't actually use a phone for the primary purpose anymore, falls for that stupid shit all the time.

Re:

[stephanruby]

I can see stealing the account of someone very prominent like a movie star or some high elected official can be of value. But those people aren't likely to download a horoscope app or edit their own selfies.

No, but the underage girls Matt Gaetz and Alan Dershowitz like to date might.

Re:I keep wondering

[Opportunist]

Many reasons.

First, Facebook is used more and more as a credential manager for other sites. Many sites offer to "log in with Facebook", thus multiplying the accounts you steal by stealing a single Facebook account.

Then there's ID theft. Given that people pretty much put their life on display in these things, of course set to "private" so no bad people can siphon their info, there's plenty of things to grab here. Add now that a lot of sites still have those insecurity questions like "your pet's name" or "your first car" as password recovery tools, that's another slew of accounts you can hijack that way.

Also, don't underestimate the stupidity of celebrities and how many of them would actually download garbage like that app.

Re:

[nukenerd]

.... someone very prominent like a movie star or some high elected official can be of value. But those people aren't likely to download a horoscope app or edit their own selfies.

No?

putting the crap in app

[Anonymouse Cowtard]

These people deserve this. Anyone who installs a horoscope app deserves to have their creds stolen. They are fools who need to be parted from their money. And fast.

Re:

[Rosco P. Coltrane]

If you throw out everybody who holds irrational beliefs, then most of humanity is good for the trash.

Astrology is one of the most benign belief systems. I'd rather be stuck with someone who reads their horoscope every day than with a religious fundamentalist of any denomination.

Re:

[Ostracus]

Instead you're stuck with the person who'd wish bad things upon his/her neighbors*. Great improvement over the fundamentalist.

*People, who once freed from the restrictions of society have historically done the greatest of tragedies.

Re:

[nukenerd]

Astrology is one of the most benign belief systems.

You realise some people conduct their lives according to astrology just as much as some others do with religion? In Renaissance times many rulers made their decisions by it - that's what the old astronomers like Kepler were employed for.

Re:

[LenKagetsu]

Lacking an agreed-upon book does not make a belief any less irrational or dangerous. If someone was to put "Your spouse will kill you, take action now" under a horoscope you can bet there would be people who take it seriously.

Will Google be held responsible?

[maybe111]

Since they decide what goes in the app/play store?

Surprised this hasn't happened more..

[Vegan Cyclist]

Often when I have to log into FB in an app to connect an account, etc, it's a pretty clunky-looking pop-up, with no way to verify it's actually from FB..even logging in to FB from IG appears suspicious to my eyes. Seems like a fairly trivial way to steal credentials.

Re:

[comodoro]

However the article does not, nor can it, state that this hasn't happened before, only that they discovered it this time. My bet would be that things like this are more common than is apparent. Good work by the researchers though,

This shows you cannot trust any app. Even open source builds cannot be entirely relied upon uness you built them yourself and have studied and understand the source. But they are very safe in comparison. I personally particularly prefer F-Droid on Android.

Sell their details

[NotEmmanuelGoldstein]

... disable in-app ads by logging into ...

Really, that's what it takes for people to sell their online details. A part of cyber-literacy should be: Don't use unsolicited emails or non-purpose apps to log-in to other accounts.

Facebook puts spyware and auto-download in their own apps: What do they think a fly-by-night developer will do? Facebook and friends enable this idiocy by their own attempts to catch more and more data from digital devices. People expect a do-everything app and fail to see the danger when a (photo-editing) app demands permission to everything.

Re:

[Anonymous Coward]

The ads featured Trump products, and we all know people with TDS are both (a) predictable and (b) no longer in control of their emotions/reactions.

Re:

[Ed Tice]

The apps had legitimate uses. People liked them. Forcing people to remember hundreds or thousands of individual passwords with complex requirements encourages sloppy password management. There's a reason that just about every large enterprise relies on identity providers like OKTA. For individual users, Facebook login is as close to a real IDP as you can get. One password that can be complex and secure and you login to other apps using the OAUTH protocol. When you add an "app" on Facebook, you get a n

Re:

[Oligonicella]

Nobody uses FB to login to banks!

Cite.

Re:

[Ed Tice]

I can't prove a negative. But I've never heard of such a thing. And I have talked to CSO/CISOs at a number of banks. Absence of evidence is not evidence of absence. Do you have an example of banks that use Facebook login? I have accounts at a half a dozen or so plus my online mortgages and have never been offered the option.

Why ...

[Anne Thwacks]

... were law enforcement not told and the perps jailed before the apps (and evidence) was removed?

Why is Google not on a "conspiracy to defraud" charge?

Do you even have law enforcement in America?

Re:

[rmdingler]

Do you even have law enforcement in America?

Why, yes, we certainly do. In fact, the sheer number of videos of them being uploaded to the internet is fast approaching cats and porn.

The last four words

[raymorris]

> Do you even have law enforcement in America?

Yep, there's law enforcement in America.
There are bad guys in Russia, China, and *stan.
Therein lies the problem.

Welcome to the internet.

Fully functioning!!

[enriquevagu]

I would give my Facebook password away for a fully functioning horoscope service.

Re:

[NFN_NLN]

> a fully functioning horoscope service

If by fully functioning you mean able to predict the future. Then me too.

But... but...

[Opportunist]

But we just learned that Apple can't open its store or else such a thing would happen [slashdot.org]!

Tim? Any statement on this?

next step

[John-after-logtime]

I assume the next step was to determine your bank and make a fake page for that too.