Google has removed nine apps from the Google Play app store after researchers at Dr Web anti-virus company found malware hidden in them. According to the security company, the nine apps had 5,856,010 downloads and possessed the ability to access users’ Facebook credentials through a sophisticated technique. These apps purportedly offered full-functionalities such as photo editing, app locker, horoscope updates, and more. Notably, all the identified apps offered users an option to disable in-app ads by logging into their Facebook accounts. After providing login details on the seemingly ‘genuine’ Facebook page, bad actors stole these credentials. The report does not highlight the number of users affected, but given the scale of collective downloads, the number could be in hundreds.
Dr Web shared the development in a blog post that notes that the most downloaded app was a photo-editing software called PIP Photo with over 5,000,000 downloads. Another photo-editing app, Processing Photo by developer ‘chikumburahamilton,’ clocked over 500,000 downloads and detected as Android.PWS.Facebook.13. The nine malicious apps include three ‘folder protection’ apps dubbed App Lock Keep from the developer Sheralaw Rence, App Lock Manager from the developer Implummet col, and Lockit Master from the developer Enali mchicolo ― all detected as Android.PWS.Facebook.13 malware. These three apps collectively had over 50,000 total downloads. Rubbish Cleaner from the developer SNT.rbcl ― a utility to optimise the Android phone performance had over 100,000 downloads. Astrology apps include Horoscope Daily by HscopeDaily momo and Horoscope Pi from the developer Talleyr Shauna with over 100,000 hits. Lastly, a fitness program called Inwell Fitness and detected as Android.PWS.Facebook.14 had more than 100,000 downloads. Dr Web notes that it discovered an earlier modification that was spread through Google Play under the guise of an image editing software called EditorPhotoPip, which has already been removed from the official Android app store, but could be still available via third-party websites.
Apart from Facebook login credentials, the attackers could have easily changed the trojans’ settings and commanded them to load the web page of another legitimate service, say Twitter or Gmail. This way, hackers could’ve accessed the credentials of multiple websites. Android users must delete these apps from the smartphone as soon as possible. The security company highlights that users must download apps from trusted developers.