Android apps caught stealing Facebook Passwords. Removed from Play store.

Hello World!

Google have recently announced they have removed 9 apps which were harvesting users Facebook credentials, estimating it to affect 5.8 million users.

The list of apps are as follows –

  • PIP Photo (>5,000,000 installs)
  • Processing Photo (>500,000 installs)
  • Rubbish Cleaner (>100,000 installs)
  • Horoscope Daily (>100,000 installs)
  • Inwell Fitness (>100,000 installs)
  • App Lock Keep (50,000 installs)
  • Lockit Master (5,000 installs)
  • Horoscope Pi (>1,000 installs)
  • App Lock Manager (10 installs)

The apps were completely functional and the attack was carried out by tricking “victims into logging into their Facebook accounts and hijacking the entered credentials via a piece of JavaScript code received from an adversary-controlled server.”

Effectively these apps were acting as trojan horses, presenting adverts that would make victims do actions required for the communication and hijacking of the Facebook logins. As stated in the source article, whilst this targets Facebook credentials only, there is no limit to what legitimate applications might be targeted by this method in the future.

Google has announced it will be requiring developers on its play store platform to use 2 step verification (2SV), this will mean that developers will have to basically register themselves up with google. Who they are, where they live, what they do and so forth… Maybe some mixed feelings here about privacy but certainly a good step in the way of security.

“Never underestimate a developer with a deadline.”