Malware-loaded Google Play app with 100,000 downloads caught stealing Facebook passwords

midian182

Posts: 8,023   +88
Staff member
In a nutshell: Not for the first time, Google has removed an app from the Play Store after discovering it harbored malware. The application, which had been downloaded over 100,000 times, was able to steal mobile users' Facebook login credentials.

Researchers at French mobile security company Pradeo revealed that the app, Craftsart Cartoon Photo Tools, contained a version of an Android trojan malware called Facestealer.

As with similar malicious applications, Craftsart Cartoon Photo Tools did perform some of its promised functions. It converted photos into cartoon- or painting-style images—there are numerous apps available that do the same thing—though some reviews say it merely added a filter to images. However, it included a small piece of code that could steal users' Facebook login credentials, thereby gaining access to their accounts and any other services that may reuse the same login/passwords.

The app performed this act of thievery by directing users to the legitimate Facebook mobile login page upon opening, but "injected malicious JavaScript" would steal login credentials and send them to a command-and-control server. The Russian-registered domain that the app connected to has been used intermittently for seven years as the command-and-control address for multiple malicious Android apps.

The stolen credentials could be used to access Facebook accounts and all the personal information they contain. Hackers could also try to dupe victims' friends by sending them fake messages.

"Facebook credentials are used by cybercriminals to compromise accounts in multiple ways, the most common being to commit financial fraud, send phishing links and spread fake news," wrote Pradeo.

We're seeing an increasing number of malicious apps circumventing the Play Store's safeguards and being downloaded hundreds of thousands of times. They often achieve this by mimicking popular apps' functions and thoroughly concealing what little malicious code they contain, as was the case with the Joker-infected Color Message app downloaded 500,000 times before it was removed in December.

The best way to avoid these malicious apps is to check the reviews. Many who downloaded Craftsart Cartoon Photo Tools identified it as a fake or some kind of scam—it also had a 2.1-star rating—but it still managed to gain 100,000 downloads.

Permalink to story.

 

trparky

Posts: 1,098   +1,247
Remind me why it's f*cking important and "pro-consumer" to force Apple to allow sideloading on iOS. The built-in stores aren't dangerous enough, we totally need the ability to have stores with even less vetting!
Yep, that's what I think as well. I may not entirely like the Apple walled garden approach but it's sure as hell a lot safer than the Wild Wild West that Android has become.
 

Irata

Posts: 2,169   +3,747
Remind me why it's f*cking important and "pro-consumer" to force Apple to allow sideloading on iOS. The built-in stores aren't dangerous enough, we totally need the ability to have stores with even less vetting!
The question is - why aren‘t the liable if their walled garden approach fails. If Apple is the gatekeeper collecting their (considerable) share they should also assume full responsibility.

Otherwise, what‘s the value add justifying their exclusivity ?
 

trparky

Posts: 1,098   +1,247
Because so far that walled garden approach that Apple has taken has worked, it's kept a majority of the crap out of the App Store whereas with Google... we have this. And tell me, how many times has malware slipped into the Google Play Store? I think I've run out of fingers to count on, I have to take my shoes off and start using toes.
 

trparky

Posts: 1,098   +1,247
As much as I hate lawyers, someone needs to bring a massive class action lawsuit against Google for this because Google will not learn until they lose money and lots of it.
 

ZackL04

Posts: 811   +609
As much as I hate lawyers, someone needs to bring a massive class action lawsuit against Google for this because Google will not learn until they lose money and lots of it.

Its not their fault that users are downloading BS apps

Their users want the ability to download anything they want
 

psycros

Posts: 4,245   +6,067
Its not their fault that users are downloading BS apps

Their users want the ability to download anything they want

But...those apps are coming from Google's own store. Google requires every Android-using hardware maker to grant them low-level access to the OS before they can use Google's services on a device. So why aren't they using that low-level access to look for malware? Maybe its time that Google buys an antivirus instead of the next hot site where girls post pics of their private parts. If not that then perhaps they could have source code access to apps in exchange for letting devs keep a larger percentage on sales.
 
Last edited:

PEnnn

Posts: 806   +945
".. has been used intermittently for seven years as the command-and-control address for multiple malicious Android apps."

As usual, the spider monkeys employed at Google Play have been engaged in navel-gazing for 7 years while this krap is going on!! They must have amazing Q&A at that septic tank.

Google Play users are suckers for punishment it seems.
 

ZackL04

Posts: 811   +609
But...those apps are coming from Google's own store. Google requires every Android-using hardware maker to grant them low-level access to the OS before they can use Google's services on a device. So why aren't they using that low-level access to look for malware? Maybe its time that Google buys an antivirus instead of the next hot site where girls post pics of their private parts. If not that then perhaps they could have source code access to apps in exchange for letting devs keep a larger percentage on sales.
Why would they?, just like any other company all they want is that cold hard cash.

Maybe Android users should pull their heads out and jump ship.

“ooo I have a stylus, I can make custom ringtones…”

Ya? Well I can make a phone call, check an email or send a text message flawlessly anytime I want with no risk of identity theft…

I only speak from experience, Ive got a buddy who has to have the lastest samsung whatever. Hes been waiting a month and will wait another month and a half for the newest model of whatever he has. He is always trying to show me things he can do, and it never works 100% of the time. Im embarrassed for him, just let it be a phone.
 

Uncle Al

Posts: 8,931   +7,898
LOL ..... you know, I won't be at all surprised to see Alphabet unload Google one of these days .....
 

waclark

Posts: 439   +305
Because so far that walled garden approach that Apple has taken has worked, it's kept a majority of the crap out of the App Store whereas with Google... we have this. And tell me, how many times has malware slipped into the Google Play Store? I think I've run out of fingers to count on, I have to take my shoes off and start using toes.

I don't know about a "majority" but the Apple iOS App Store has been hit, pretty hard with things like XcodeGhost and a raft of malicious other apps. There's a guy who blogs about it, from TechRadar

"Eleftheriou, a developer who has created several hit services for Apple devices, has highlighted a number of suspect apps over the past few weeks on his Twitter account."
 

trparky

Posts: 1,098   +1,247
I don't know about a "majority" but the Apple iOS App Store has been hit, pretty hard with things like XcodeGhost and a raft of malicious other apps. There's a guy who blogs about it, from TechRadar
Yes, I understand; I remember that happening in the past. However, Google still takes the very much unwanted crown for the number of times malware has slipped through the cracks.
 

waclark

Posts: 439   +305
Yes, I understand; I remember that happening in the past. However, Google still takes the very much unwanted crown for the number of times malware has slipped through the cracks.
True, Android is more targeted and more vulnerable. But, Apple's not perfect and while their walled garden sounds good on paper, it seems like they have a pest control problem in the garden. They need to adhere to what they say they are doing, and in some cases, they are lax on their vetting process.