The return of the Facebook thieves

About a year ago, our cybersecurity team's discovery of hidden in-app malware that was stealing Facebook credentials caught the attention of the press and the entire mobile ecosystem. This secret malware was stealing one of the most popular digital IDs of the decade, and it was going unnoticed.

Today, Evina’s team of malware hunters have once again identified apps embedded with this kind of malware, which have persistently infected the most popular new free apps in the Play Store. 

They work in exactly the same way. Their objective is to steal mobile users’ Facebook login credentials and data.

These apps require users to log in to their Facebook account to allow them to access the app’s content and, therefore, collect the credentials.

Below is one of the apps that featured malware, and was downloaded over +500K times.

Photo Motion – one of the infected apps

The app requires the mobile user to log in to their Facebook account

The app is ranked among the most popular free apps in many countries

How it works

To steal login credentials, the malware launches a webview and runs a javascript command to retrieve the values typed by the user.

The next step is to use the API graph to get the account information.

Javascript commands to retrieve Facebook users’ credentials

Request to the Facebook Graph API to obtain information about the Facebook profile

The interesting malware feature

The malware is interested in the advertising campaigns that mobile users might have launched, and it’s also interested in the credit card they have registered to do so.  

This allows the malware to create its own advertising campaigns with the mobile user’s account, and thus their credit card.

Obtains information on user ad campaigns

Here is a list of other identified malware-infected apps – in the top new apps of the Play Store:……

Note: At the moment, most of these apps have been deleted.

Credits: Maxime Ingrao

To never miss a cybersecurity update, subscribe to our newsletter.

The Fraud Observer

Do you like this article ?

Articles, interviews, analyzes, debates ... Once a month, the most valuable insights and news to fight fraud and grow your business.