Google removes popular Android apps for stealing Facebook passwords

The apps had more than 5.8 million combined installs

Google has removed nine malicious Android apps from the Play Store, after finding they were stealing users' Facebook login passwords.

The apps were disguised as photo-editing, astrology, optimiser, and fitness programmes, and enjoyed high popularity: they had more than 5.8 million downloads between them.

Google pulled the apps after researchers at the Dr Web anti-virus firm discovered they were actually Trojans designed to steal credentials.

All of the apps asked users to log in with their Facebook account to unlock added features and disable in-app ads. After users logged in on what appeared to be genuine Facebook page, the app authors would steal their credentials via a JavaScript code from the command and control (C2) server.

The apps also stole cookies from the current authorisation session, and sent them to cybercriminals.

While Facebook was the target in each case, the malicious actors could have easily steered users toward other popular services, the researchers said.

There were five malware variants present in these apps, all using the same JavaScript code.

While the Dr Web report doesn't reveal the number of users whose credentials may have been stolen, the number could be in the thousands considering the scale of collective installs.

The apps removed are:

• PIP Photo (5,000,000+ downloads)
• Processing Photo (500,000+ downloads)
• Inwell Fitness (100,000+ downloads)
• Horoscope Daily (100,000+ downloads)
• Rubbish Cleaner (100,000+ downloads)
• App Lock Keep (50,000+ downloads)
• Lockit Master (5,000+ downloads)
• Horoscope Pi (1,000+ downloads)
• App Lock Manager (10+ downloads)

Users who downloaded any of the above nine apps should delete the app and change their Facebook password immediately. They should do the same with all other platforms/services where they used the same credentials to sign in.

The disclosure comes days after Google announced new measures for the Play Store as part of efforts to fight scams and fake developer accounts. Google now requires developers to provide their address and to verify their contact details.

This is not the first time that security researchers have found malicious apps on Google's app store.

In 2018, researchers at cyber security firm Sophos said they had found Javascript cryptomining code in 19 Android apps.

In 2019, ESET claimed it had discovered 42 adware-laced apps, serving unwanted adverts to users as part of a money-making scheme.

And just last year, security researchers reported two malware campaigns that targeted Android users with apps that claimed to optimise smartphone performance.