Google removes 25 Android apps caught stealing Facebook credentials

Google has removed 25 Android apps from the Google Play Store this month that were caught stealing Facebook credentials.

Before deleting, the 25 apps were collectively downloaded more than 2.34 million times.

The malicious applications were developed by the same group of threats and, despite offering different characteristics, all the applications worked the same.

According to a report by French cybersecurity firm Evina that it shared with ZDNet today, the apps posed as step counters, image editors, video editors, wallpaper apps, flashlight apps, file managers, and mobile games .

The applications offered legitimate functionality, but also contained malicious code. Evina researchers say the apps contained code that detected which app a user recently opened and was in the foreground.

If the app were Facebook, the malicious app would overlay a web browser window on top of the official Facebook app and load a fake Facebook login page (see image below: blue bar = real Facebook app, black bar = phishing page).

If users were to enter credentials on this phishing page, the malicious app would log the data and send it to a remote server located in the airshop.pw domain (now gone).

Evina said she found the malicious code that stole Facebook’s credentials in 25 apps that reported to Google in late May. Google removed the apps earlier this month, after verifying the findings of the French security firm. Some of the apps had been available on the Play Store for over a year before they were removed.

The complete list of 25 applications, their names and the package ID are listed below. When Google removes malicious apps from the Google Store, the company also disables the apps on a user’s devices and notifies users through the Play Protect service included with the official Play Store app.