• Home
  • |
  • Blog
  • |
  • 9 Android Apps Stealing Facebook Password Found On The Play Store!
apps stealing Facebook password | password stealing campaign

Cybersecurity researchers discovered nine android apps stealing the Facebook passwords of their users. The apps were removed from the Play store in response to the password-stealing campaign. However, the users who downloaded the apps are still prone to the password-stealing campaign. 

Victim Of These Nine Apps Stealing Facebook Password:

The research didn’t reveal the attacks on any particular users belong to a specific geo location. However, It’s been said that more than 5,856,010 users have downloaded these apps stealing Facebook passwords from Google’s play store. 

List Of Apps Stealing Facebook Passwords On The Play Store:

Here are the nine apps Doctor Web found on the Play store. See your phone for these apps Immediately and remove them if installed. Most importantly, rest your Facebook password if you haven’t done it yet.

Fig #1: 9 apps stealing Facebook password
  • PIP Photo (>5,000,000 Downloads): An image editing app that was spread by the developer Lillians.
  • Processing Photo (>500,000 installs): A photo-editing software that was spread by the developer chikumburahamilton.
  • Rubbish Cleaner (>100,000 installs): A utility to optimize the Android device performance from the developer SNT.rbcl.
  • Horoscope Daily (>100,000 installs): An astrology program developed by HscopeDaily momo.
  • Inwell Fitness (>100,000 installs): A fitness program from the developer Reuben Germaine.
  • App Lock Keep (50,000 installs): A app developed by Sheralaw Rence.
  • App Lock Manager (10 installs): Developed by Implummet col.
  • Lockit Master (5,000 installs): Developed by Enali mchicolo.
  • Horoscope Pi (>1,000 installs): An astrology program developed by Talleyr Shauna.

How Do These Apps Steal Facebook Passwords?

Attackers have used Android’s play store to launch the password-stealing campaign. Password stealer trojans were used as a harmless application to steal the Facebook password.

Fig #2: Prompting Facebook login
  1. Authors have published the fully functional applications with the same Trojans, which have identical configuration file formats and identical JavaScript scripts to steal user data.
  2. That application was made to prompt Facebook login to access all of the app’s functions and disable in-app ads.
  3. If users agreed and clicked the Facebook login button, they saw the standard Facebook login form as shown.
  4. In fact, the apps have displayed a genuine login form. However, trojan in the app will get the necessary settings from the C&C servers immediately after launch. It loads the legitimate Facebook web page https://www.facebook.com/login.php into WebView along with the JavaScipt downloaded from the C2 servers into the same page.
  5. Attackers will use the same JavaScript to hijack the user-entered credentials. The script transfers the stolen credentials to the trojan applications, transferring the data to the attacker’s C2 server.
  6. After successful login to the Facebook account, the trojans will capture the session cookies from the current authorization session.
  7. Attackers have been targeted to steal the credentials of Facebook accounts. However, trojan settings are easily customizable to replace Facebook with any other legitimate web service or fake phishing site.
Fig #3: Loading Facebook login web form

Countermeasures:

When it comes to deal with any such password-stealing campaign, we would suggest you to do three basic things:

  1. Uninstall the applications from the device.
  2. Reset the web service password, Facebook in this case.
  3. Install a good premium anti malware solution to scan and remove the malwares.

Identified Indicator Of Compromise (IOC) Apps Stealing Facebook Password:

IOCs indicators of compromise. If you found any of these files on your Android device, which has the corresponding SHA-1 hash, take the countermeasures without delay. Additionally, if you notice your Android phone has communicated to these URLs at any point in time, it’s clear that your phone is compromised. The verification process needs some technical knowledge to check the file fingerprints and communication with the URLs. You can leave this section if you are not from a technical background. We feel it’s our duty to give the details as much as we can.

IOCs:

SHA-1Application namePackage namePackage versionDeveloper
d8f941f6a8dbda39a881ad2a1661e3227e3f8f18App Lock Keepcom.enab.lockkeep1.0.6Sheralaw Rence
8f30f3f176613dbc14aa29bfb3c952b6eb046da3Processing Photocom.pcnts.splicingpp1.2chikumburahamilton
de2ac7091b7c51d0b7e1e9c31d5e8d9aa863aa5cRubbish Cleanercom.snt.rubbishcleaner1.5.1SNT.rbcl
b2d07ac10bba9839fd8a0ccd7a7dcd08b508140bHoroscope Dailycom.cgi.ygk.iozwrku.izgzw1.0HscopeDaily momo
de93c1c7a0c03ecf79179d2296008f93f48fdcaaHoroscope Picom.iigxuq.xueqe.horoscopepi2.4.56Talleyr Shauna
d68717837c3b3ec7fd95a6b776ec96bef7344928App Lock Managercom.oimjqcnw.mngyz.kqhcrpy.xdrzs007.xyzImplummet col
5a3d2917fe987dea35d1aa4b089743d168a71415Lockit Mastercom.svbo.oypvn.otpl1.3Enali mchicolo
903fcfba98f32b00badcec5976a4b401b994be7eInwell Fitnesschv.jrd.axiyby.ojs.xevjo1.1Reuben Germaine
f7d6462d16e8c0c81634e8812ae1b19a59bede26EditorPhotoPipcom.viewedites.showimg1.1Laurense
2b931978aaee9e2a9d35b1f8bf35a9b89b74d2faPIP Photocom.piphoto.pipsapp1.1.0Lillians
8b0451ee56e8a5805b1c501d48066d2cb89e41a5PIP Photocom.piphoto.pipsapp

URLs:

data.applockkeep.xyz
shop.vfgrl.com
wap.inwellfitness.xyz
cc.horoscopemagic.xyz
mxi.applockmaster.xyz
mm.superbrightflashlight.xyz
wap.lockitmaster.xyz
data.horoscopedaily.xyz

IPs:

108.160.132.15
45.32.110.28

Thanks for reading this post. Please share this post to all android users and create a awareness about the apps stealing Facebook password and this password stealing campaign.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.