Google removes popular Android apps that stole Facebook passwords. This app had over 5.8 million downloads from the Play Store.
Google has removed nine malicious Android apps from the Play Store, after finding they were stealing users’ Facebook login passwords.
The apps were disguised as photo-editing, astrology, optimizer, and fitness programs and enjoyed high popularity: they had more than 5.8 million downloads between them.
Now, your Facebook password is safe
google removed malicious apps
Google has removed apps with 5.8 million downloads from the Play Store that were stealing users’ Facebook login details. Google has banned the developers of all nine apps from the store, meaning they will not be allowed to submit new apps.
Google pulled the apps after researchers at the Dr. Web anti-virus firm discovered they were actually Trojans designed to steal credentials.
The malware apps offered useful services like photo editing and framing, exercise and training, horoscopes, and unwanted files from Android devices. Additionally, these malicious apps got their way around users’ Facebook credentials by offering an option to disable in-app ads if they logged in from their Facebook accounts.
The apps removed are:
- PIP Photo (5,000,000+ downloads)
- Processing Photo (500,000+ downloads)
- Inwell Fitness (100,000+ downloads)
- Horoscope Daily (100,000+ downloads)
- Rubbish Cleaner (100,000+ downloads)
- App Lock Keep (50,000+ downloads)
- Lockit Master (5,000+ downloads)
- Horoscope Pi (1,000+ downloads)
- App Lock Manager (10+ downloads)
The apps tricked users by loading the real Facebook sign-in page, only to load JavaScript from a command and control server to “hijack” credentials and pass them along to the app (and thus the command server). They would also steal cookies from the authorization session. Of course, Facebook was the target in each case, but the creators could just have easily steered users toward other internet services.
Follow It:
Users who downloaded any of the above nine apps should immediately delete the app and change their Facebook password. They should do the same with all other platforms/services where they used the same credentials to sign in.
Read; Facebook is leaking your huge data.
The disclosure comes days after Google announced new measures for the Play Store as part of efforts to fight scams and fake developer accounts. For example, Google now requires developers to provide their addresses and to verify their contact details.
Read Why Google apps are crashing down?
The Bottom Line
A Google spokesman told Ars Technica that the company has also banned the developers of all nine apps from the store, meaning they will not be allowed to submit new apps. However, according to the report, this is a small hurdle for defaulters as a new developer account under a different name requires a one-time fee of $25.
The development comes just days after the Joker virus freshly targeted eight new Android apps that stole users’ data, including SMS, contact list, device info, OTPs, and more. The eight apps that were infected by the Joker virus are Auxiliary Message, Fast magic SMS, Free CamScanner, Super Message, Element Scanner, Go messages, travel wallpapers, and Super SMS. Google removed the infected apps from the play store after several downloads from users.
The question, of course, is how the apps racked up as many downloads as they did before the takedown. Google’s largely automated screening keeps a lot of malware out of the Play Store. Still, the subtlety of the technique might have helped the rogue apps slip past these defenses and leave victims unaware that their Facebook data fell into the wrong hands. Whatever the cause, it’s safe to say that you should be cautious about downloading utilities from unknown developers no matter how popular they seem.
