Even when you download a mobile app from an official source, you should be careful before you give them any personal information. Google is always working to ensure that malicious apps don’t make their way on to the Google Play store, but some still sneak through. These apps often look legitimate, and one managed to fool thousands of Android users in recent weeks. The app contains an Android trojan known as Facestealer.
Facestealer trojan infects 100,000+ Android devices
On Monday, mobile security company Pradeo reported that a new malware scam has been making the rounds. As of this week, over 100,000 Android users had downloaded an app on Google Play called Craftsart Cartoon Photo Tools. The app says it can turn your photos into paintings and cartoons with fun filters. Instead, what the infected app actually does is use social engineering tricks to steal your Facebook login details.
As Pradeo notes, the app was available on Google Play and third-party app stores. It looks like a real photo app, but the creators have injected a small piece of code that was clearly able to elude any of Google’s safeguards that protect Android users.
After you download the app, it quickly requires you to log in to Facebook. This is apparently necessary to “experience the full function” of the app. If you do enter your Facebook details, the app immediately transmits them to the cybercriminals that run the app. Pradeo explains that cybercriminals use stolen Facebook accounts to commit financial fraud, send phishing links, and spread fake news. And we really don’t need more fake news.
Depending on how often you use Facebook, there’s no telling how much data your account features. If you want to see just how much data a criminal might have access to, check this page. They could potentially see your private conversations, your credit card numbers, the events you plan to attend, and all of the places you’ve checked into.
The Russian connection
Pradeo also shared the following information about how the app works:
The application Craftsart Cartoon Photo Tools makes connections to a domain registered in Russia. Our research shows that this domain has been used for 7 years on and off, and is connected to multiple malicious mobile applications that were at some points available on Google Play and later deleted. To maintain a presence on Google Play, repackaging mobile apps is a common practice for cybercriminals. Sometimes, we even observed cases in which repackaging was entirely automated.
The good news is that Google has since taken action. After communicating with Pradeo, Google removed the app from Google Play on Tuesday, March 22nd. Unfortunately, over 100,000 Android users had already downloaded the app with the Facestealer trojan. If you happen to be one of those users, delete the app immediately. It might also be worth checking the active sessions on your Facebook account to see if anyone else is logged in. Either way, this might be a good time to change your password on Facebook. You can never be too careful when it comes to online security.