Android Apps with 6.5 Million Downloads Stole Facebook Passwords: Study

Google has purged nine Android apps with over 6.5 million in combined downloads from its Play Store after research from security firm Dr. Web found that all nine apps were stealing users’ Facebook login credentials — reports Ars Technica.

Each of the nine apps named in Dr. Web’s original post were recording users’ Facebook passwords under the guise of actually providing the services you would expect from apps of their kind, from photo editing and framing to horoscopes, junk file removal, and more.

Google’s Play Store is no stranger to blatantly malicious apps. However, all of these apps were fully functioning — hence they were downloaded millions of times by Android users.

On the surface, the apps were supported by ads. However, users were provided with the option to disable in-app ads by logging into their Facebook accounts. No harm there, right?

Users who opted to disable in-app ads would see a genuine Facebook login firm, but malware embedded within the apps would hijack their login credentials (Facebook username and password) when they submitted the login form, passing the stolen information on to those who masterminded the entire ploy.

Researchers found that each of the five trojan variants they found embedded into the apps were programmed to steal login credentials for Facebook accounts. However, the same malicious elements could have been used to steal login credentials for any other service.

The nine offenders named in the study included:

  • PIP Photo (5.8 million+ downloads)
  • Processing Photo (500,000+ downloads)
  • Rubbish Cleaner (100,000+ downloads)
  • Inwell Fitness (100,000+ downloads)
  • Horoscope Daily (100,000+ downloads)
  • App Lock Keep (50,000+ downloads)
  • Lockit Master (5,000+ downloads)
  • Horoscope Pi (1,000 downloads)
  • App Lock Manager (10 downloads)

Google has since removed all offenders from the Play Store.

A Google spokesman also stated that the company has permanently banned the developer accounts that submitted all nine apps to the Play Store, but that isn’t much of a setback for the cybercriminals as a new developer account only costs $25 to make.

So much for Google’s claims of Android phones being just as secure as iPhones. If you have downloaded any of the apps listed above, be sure to check your device and Facebook account for any signs of compromise, and reset your Facebook password as a precaution.