Jump to content
  • Android password-stealing malware infects 100,000 Google Play users

    Karlston

    • 424 views
    • 4 minutes
     Share


    • 424 views
    • 4 minutes

    A malicious Android app that steals Facebook credentials has been installed over 100,000 times via the Google Play Store, with the app still available to download.

     

    The Android malware is disguised as a cartoonifier app called 'Craftsart Cartoon Photo Tools,' allowing users to upload an image and convert it into a cartoon rendering.

     

    Over the past week, security researchers and mobile security firm Pradeo discovered that the Android app includes a trojan called 'FaceStealer,' which displays a Facebook login screen that requires users to log in before using the app.

     

    login.jpg

    App requesting the user to login on Facebook (Pradeo)

     

    According to Jamf security researcher Michal Rajčan, when users enter their credentials, the app will send them to a command and control server at zutuu[.]info [VirusTotal], which the attackers can then collect.

     

    In addition to the C2 server, the malicious Android app will connect to www.dozenorms[.]club URL [VirusTotal] where further data is sent, and which has been used in the past to promote other malicious FaceStealer Android apps.

     

    c2-server-android.jpg

    Sending data to dozenorms[.]club server
    Source: BleepingComputer

     

    As Pradeo explains in its report, the author and distributor of these apps appear to have automated the repackaging process and inject a small piece of malicious code into an otherwise legitimate app.

     

    This helps the apps get through the Play Store vetting procedure without raising any red flags. As soon as the user opens it, they are not given any actual functionality unless they log in to their Facebook account.

     

    However, once they log in, the app will provide limited functionality by uploading a specified image to the online editor, http://color.photofuneditor.com/, which will apply a graphics filter to the picture.

     

    This new image will then be displayed in the app, where it can be downloaded by the user or sent to friends.

     

    As many apps unnecessarily require users to log in to a server, in many cases Facebook, users have become numb to these login prompts and more commonly input their credentials without suspicion.

    Signs of trouble

    As popular and fun as these cartoonifier apps may be, people should be extra cautious when installing software that requires them to input sensitive information such as biometric data (images of their faces).

     

    These apps perform the image alterations and apply filters on a remote server, not locally on the device, so your data is uploaded to a remote location and is at risk of being kept indefinitely, shared with others, resold, etc.

     

    Since the particular app is still on the Play Store, one may automatically assume that the Android app is trustworthy. But unfortunately, malicious Android apps sometimes sneak into Google Play Store and remain until they are detected from bad reviews or discovered by security companies.

     

    However, it is possible to spot scammy and malicious apps in many cases by looking at their reviews on Google Play.

     

    As you can see below, the user reviews for 'Craftsart Cartoon Photo Tools' are overwhelmingly negative, totaling a score of only 1.7 stars out of a possible five. Furthermore, many of these reviews warn that the app has limited functionality and requires you to sign in to Facebook first.

     

    reviews(1).jpg

    User reviews on the Play Store

     

    Secondly, the developer's name is 'Google Commerce Ltd', which indicates it is is developed by Google. Also, the listed contact details include a random person's Gmail email address, which is a big red flag.

     

    details(1).jpg

    App details on the Play Store

     

    We have visited the developer's page, hosted on Blogspot, to read the project's privacy policy, and we found a different email address there, so there's even a mismatch.

     

    security.jpg

    The security clause of the app's privacy policy

     

    Finally, we tried sending an email to the author for a comment on the allegations made by Pradeo, but one of the addresses doesn't even exist.

     

    fail.jpg

    Listed email address doesn't exist

     

    This may seem like excessive scrutiny for each app you install on your smartphone, but it should be the standard checking procedure for inherently risky apps.

     

    Pradeo has informed Google of the nature of the Craftsart Cartoon Photo Tools app, and Bleeping Computer has also sent a message to the Play Store team, so Google should remove it shortly.

     

    However, those who have the app installed on their devices should remove it immediately, reset their Facebook accounts, and enable two-factor authentication for additional protection.

     

     

    Android password-stealing malware infects 100,000 Google Play users


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...