Researchers from Dr. Web have found nine apps with more than 5.8 million combined downloads that were sneakily stealing user’s Facebook passwords using a genuine Facebook login page.
As of writing, Google has banned the developer and removed these nine apps from the Play Store, but if you’ve downloaded any of them, it’s time to change your Facebook passwords, not only Facebook.
How did the apps steal the data?
According to the researchers at Dr. Web, the developer, chikumburahamilton, created fully functional apps for photo editing, exercising, horoscopes, and junk cleaning (among others). After a point, these apps would prompt users to log in using Facebook to unlock the full functionality of the app.
When users did that, the app would kick in their C&C server (a Command-and-Control server controlled by the developer used to copy and store data from a webpage). After receiving the settings from the C&C server, the app loaded then loaded the legitimate Facebook login page.
Then, the app loaded the JavaScript received from the C&C server into the Facebook login page (JavaScript code is versatile and can be inserted at any point, even when a user just taps on a text field). This Javascript code was then used to copy the username and password.
The JavaScript then passed the copied data to the application, which in turn passed it to the app’s C&C server, where it was saved. Once the user logged in to the application, the app also stole cookies from the current authorized session, which were in turn sent to cybercriminals.
In this instance, the apps only used Facebook’s genuine login page. But because of the way JavaScript and C&C servers work, they could have easily done this with any service requiring you to log in.
What can you do about it?
The first thing you should do is to check if you were running one of these nine apps:
PIP Photo
Processing Photo
Rubbish Cleaner
Inkwell Fitness
Horoscope Daily
App Lock Keep
Lockit Master
Horoscope Pi
App lock Manager
If you have any of these apps installed, the first step is to uninstall the application.
Then, if you used Facebook login with the app, you need to reset your Facebook passwords immediately.
Next, stay vigilant. Use a trusted anti-virus application like Malwarebytes to detect apps with malicious code. If possible, avoid connecting third-party services like Facebook with random apps downloaded from the Play Store. Because of the way Play Store works, it’s trivially easy for developers to reenter and resubmit apps even after they are taken down (a developer license only costs $25).
Lastly, turn on two-factor authentication for any site that allows it, and pair it with a password manager. This will help you generate and store long passwords securely. And even if a website leak reveals your password, two-factor authentication will protect you from hackers.
A word for a wise must be enough before your ID is used for a crime you know nothing about.