It is common knowledge (but that doesn’t make it any less problematic) that apps make themselves privy to users’ personal data, like location settings and browsing habits. But, what would your reaction be, if you were told that some of your apps were even granting themselves access to your sensitive data, like login credentials? Turns out, some 9 Android apps were caught stealing Facebook passwords from their users. These apps, which, up till very recently, were freely available on Google Play Store, have reportedly amassed nearly 6 million downloads between themselves.
9 Apps Stealing Credentials, Including PIP Photo
The news first came to light through a report by security organziation Dr. Web, whose researchers claim that these apps had one thing in common. They allowed users to disable in-app adverts, by having them log into their FB accounts. Users who opted for logging into their account were redirected to a genuine login page.
That was where things took a turn, however, as Dr. Web notes that these “trojans” hijacked the login credentials by using a set of complex coding techniques. The stolen data was then transferred to these applications, which also gained access to cookies during the process.
The report further observes that while these 9 Android apps were stealing Facebook passwords on a regular basis, the hackers could very easily have programmed the trojans to load login pages of other services, effectively enabling them to steal credentials from any site that required users to log in.
The apps which have been listed in the report include the popular photo editor PIP Photo. Other applications accused of stealing are Horoscope Pi, Rubbish Cleaner, Processing Photo, App Lock Keep, Horoscope Daily, App Lock Manager, Lockit Manager, and Inwell Fitness.
Five Trojan Variants
Five variants of the trojan malware were found inside these apps, out of which, three were native Android apps, while the other two made use of Google’s Flutter framework, for cross-platform compatibility issues.
Out of the 9 Android apps stealing Facebook passwords, PIP Photo saw the largest number of downloads, standing at almost 5.8 million.
What Google Did
As of now, Google has taken down all the apps listed in the report, from its Play Store. A spokesperson also confirmed that the developers of the above apps have been banned from submitting any new apps to Play Store. It remains to be seen how effective this move will be, as the developers can very easily create a new account for publishing new apps.