These Android apps have have been stealing your Facebook password

Google has removed at least nine apps from the Google Play store after security researchers revealed they’d been secretly harvesting users’ Facebook login details.

Research from Dr. Web say ten ‘trojan’ apps, nine of which were available on Google Play, have been stealing innocent users’ Facebook usernames and passports.

The apps in question have been downloaded 5,856,010 times, the researchers say, alarmingly. The apps masquerading as innocent smartphone aids include Processing Photo, App Lock Keep, Rubbish Cleaner, Horoscope Daily, Horoscope Pi, App Lock Manager, Lockit Master, Inwell Fitness, and PIP Photo.

These apps were not obscure by any means. Processing Photo, for instance, was downloaded more than half a million times by unsuspecting Android users. All have now been removed from the Play Store, while the developers have also been banned from the platform.

The developers in question used an old trick, promising to remove in-app ads if users logged into their Facebook accounts. From there users were presented with the actual Facebook sign-in page only to hijack the process using a JavaScript code.

In its report, Dr. Web wrote: “These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to highjack the entered login credentials.”

The harvested user names and passwords, as well as all cookies from the authorisation session were passed onto cybercriminals, the report says. The researchers say one of the apps, EditorPhotoPip, had already been deleted by Google Play, but was still available via aggregator websites.

The site says this emphasises the need to only download apps from official sources, rather than side-loading onto an Android device.