Google has found 9 malware applications that stole Facebook passwords from users of Android devices, according to a research by Dr. Web.
Most worryingly, these apps have been downloaded from the Play Store more than 5,8 million times. The applications looked normal and did what they said they were doing, such as image editing, exercise or training.
Because they contained ads, users had the option to disable them by linking the app to Facebook. Initially, although they loaded the actual page, they redirected users to another page that was very similar to the Facebook login form. The malware intercepted the login credentials and forwarded them to the hackers' command and control server along with the cookies from other authentication sessions.
The security researchers of Dr. Web they said:
Malware analysis showed that all applications had settings for stealing links and passwords from Facebook accounts. However, attackers could easily change the settings to load the website of another legitimate service. They could also use a completely fake login form found on another site (phishing).
In the following list you will see which applications contained malware:
The PIP Photo app had the most downloads (5,8 million). The following are:
- Horoscope Pi: about 1.000 downloads
- Lockit Master about 5.000 downloads
- App Lock Manager: about ten downloads
- Horoscope Daily: about 100.000 downloads
- App Lock Keep: about 50.000 downloads
- Inwell Fitness: about 100.000 downloads
- Rubbish Cleaner: about 100.000 downloads
- Photo Processing: approximately 500.000 downloads
The apps have already been removed from the Google Play Store, and Google has blacklisted the creators of all nine apps, preventing them from submitting new ones. That of course does not say anything.
Google should improve the security systems it uses, and stop taking half measures.