Last Updated on 22/11/2021 by Nidhi Khandelwal
Image courtesy; 2-spyware
This Wednesday, Maxime Ingrao, a French Cybersecurity expert in mobile fraud at Evina discovered some malwares in the top new free apps of the Play Store that steal Facebook credentials and some other data. He went public with his findings and uploaded a detailed version of it on Twitter.
The researcher stumbled upon the malware while he installed one of the apps and got suspicious when the app compelled the users to connect Facebook for using the content of the application. He then took a glance at the code of the app and thats when he discovered that it executed commands to retrieve those credentials.
He found two applications, that share the same code, and believes that it is from a new malware family. Both applications are in the same category: photography apps.
“The requests are executed with an Asia/Singapore timestamp so there is a very high chance that the attack originated there”, Ingrao said.
Popularity of apps
Some of the apps that are infected by a malware exceeds 500k downloads, inlcuding the Pix Photo Motion Edit 2021 and “Magic Photo Lab – Photo Editor”, an app with 50k+ installs and is removed from the Play Store.
According to Maxime, the rankings of the application “Pix Photo Motion Edit 2021” on Play Store of different countries, we see that it is in the first positions of the ranking of new applications in many countries and even first in Mexico. This has allowed it to reach 500k downloads in two weeks.
Working of malware
The malware launches a webview and runs javascript command to retrieve the values typed by the user.Then it uses the api graph to get the account information.
According to the researcher, the malware retrieves information about the pages you have created on Facebook (the number of fans, the number of people talking about this page, the page rating), about the ad campaigns you have created (the status of the campaigns, the amount spent) and whether you have a registered credit card.
“This informations is probably used so that fraudsters can publish ads on the user’s pages and charge ad campaigns with the user’s credit card”, he said.
Maxime confirmed that the threat actors cannot steal credit card information but can use it against the victim on their accounts.
On being asked about the action taken by Maxime told The Digital Hacker that he has notified about the malicious apps to Google via their report forms, but they have not responded yet. Though one of the apps has been removed from the Play Store only before he reported.
Clearly cyber attackers are exploiting people for their lack of knowledge, people need to be more carefull and do little research before downloading unknown apps.
