05.07.2021 – 10:01
Google intervened to remove nine Android apps downloaded more than 5.8 million times from the company’s Play Store after the apps were caught stealing users’ Facebook login credentials.
“The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With this, to access all the functions of the applications and, ostensibly, to deactivate the ads within the applications, the users were encouraged to log in to their Facebook accounts, “said the researchers from Dr. Web.
“Ads within some of the apps were really present and this maneuver was intended to further encourage Android device owners to take the required actions.” The apps disguised their intent through garbage cleaners, fitness and astrology programs, to trick victims into logging into their Facebook account and hijacking credentials inserted through a piece of JavaScript code.
List of applications:
PIP Photo (> 5,000,000 installations)
Photo Processing (> 500,000)
Rubbish Cleaner (> 100,000)
Daily Horoscope (> 100,000)
Inwell Fitness (> 100,000)
App Lock Keep (50,000)
Lockit Master (5,000)
Horoscope Pi (> 1,000)