Researchers from Dr. Web have found nine apps with more than 5.8 million combined downloads that were sneakily stealing user’s Facebook passwords using a genuine Facebook login page. As of writing, Google has banned the developer and removed these nine apps from the Play Store, but if you’ve downloaded any of them, it’s time to change your passwords. The apps tricked users by loading the real Facebook sign-in page, only to load JavaScript from a command and control server to "hijack" credentials and pass them along to the app (and thus the command server). They would also steal cookies from the authorization session. Facebook was the target in each case, but the creators could just have easily steered users toward other internet services. “During the course of analyzing these stealer trojans, we discovered an earlier modification that was spread through Google Play under the guise of an image editing software called EditorPhotoPip, which has already been removed from the official Android app store but still available on software aggregator websites," the company said in its blog post. The first thing you should do is to check if you were running one of these nine apps:
- PIP Photo
- Processing Photo
- Rubbish Cleaner
- Inwell Fitness
- Horoscope Daily
- App Lock Keep
- Lockit Master
- Horoscope Pi
- App lock Manager