About these nine malicious apps on the Google Play Store, it is said that five different types of malware have been found in them.
Google has removed nine apps from its Play Store after researchers showed they secretly stole users' Facebook log-in credentials. Apps were hidden under names that sounded like everyday useful tools and apps. These include Rubbish Cleaner and Horoscope Daily. According to a report, these malicious apps had around 5.9 million combined downloads on the Google Play store while PIP Photo alone had 5.8 million downloads. These contained five different types of malware. Google had earlier removed three apps made for children for violation of privacy. Report by
Dr. Web, an antivirus servicesays that their malware analysts discovered nine suspicious apps. Which included Processing Photo, App Lock Keep, Rubbish Cleaner, Horoscope Daily, Horoscope Pi, App Lock Manager, Lockit Master, Inwell Fitness, and PIP Photo apps. These apps allegedly acted as Trojan malware and stole users' Facebook log-in credentials after offering users the option to disable ads by logging in through their social media accounts. Dr. Webb's report was seen by Ars Technica .
These apps tricked users by showing an exact copy of Facebook's login page. Instead the apps loaded a JavaScript command that stole their log-in credentials. The apps apparently also stole browser cookies from the authorization session. All were malware variants and they all allegedly used the same JavaScript code to steal users' data. The report also stated that three of the malware variants were native Android apps, and two were built using Google's Flutter SDK.
The malware variants identified by Dr. Webb are
- Android.PWS.Facebook.13,
- Android.PWS.Facebook.14,
- Android.PWS.Facebook.15,
- Android.PWS.Facebook.17,
- Android.PWS.Facebook.18 .
A Google spokesperson told Ars Technica that they have also banned app developers for all nine apps from the Google Play store, which would block these developer accounts from publishing any new apps to the market. This is a positive move from Google, but a new developer account under a different name can be created for a nominal fee of $25 (approximately Rs 1,900).
Users are advised not to download any app from an unknown developer, irrespective of the number of downloads of the app. In this case, PIP Photo received a maximum of 5.8 million downloads, followed by Processing Photo at 500,000 downloads. Any user who has downloaded these apps should thoroughly check their device and Facebook account for suspicious activity.