Google Play Store boots apps that steal Facebook passwords


Dr. Web researchers located nine apps that have more than 5.8 million combined downloads and were stealing user’s Facebook passwords.

Google moved quickly to ban the developer, chikumburahamilton. And then removed the nine Android apps from the Google Play Store.

Nine apps to remove

  • PIP Photo
  • Processing Photo
  • Rubbish Cleaner
  • Inwell Fitness
  • Horoscope Daily
  • App Lock Keep
  • Lockit Master
  • Horoscope Pi
  • App lock Manager

All nine are fully functional apps for tasks like photo editing, getting daily horoscopes, exercising, etc…At some point, the app prompts the user to log in using Facebook to allow full functionality of the app.

Signup for the USA Herald exclusive Newsletter

That’s when the app begins to steal private data. It starts by stealing cookies from the current authorized session, which are sent to the cybercriminals.

How did the apps steal the Facebook passwords?

The malware-laden apps had easy-to-find titles that tricked users with a legitimate Facebook sign-in page. But a JavaScript was also put in play by a command and control server to steal the data and pass them back to the app ( the command server). 

In every case, Facebook was the primary target. But the hackers had the capability to steer users toward other password-protected services. They chose Facebook passwords.

There were five malware variants all using the same JavaScript code and configuration file formats to grab private information.

Once the user logged in to the application, the app also stole cookies from the current authorized session, which were in turn sent to cybercriminals.

Get rid of the malware apps

If you are running one of the nine apps listed above, you need to remove them. The first action is to uninstall the offending application.

If you used Facebook verification login with the app you also need to reset your Facebook password. Run a scan with antivirus software. That helps to find other apps using Malware. And to assure the app removal was successful.

You also need to turn on two-factor authentication for every site possible. And pair it with a password manager. This will help you generate and store unhackable passwords more securely. And even if your private password is leaked, two-factor authentication is the first line of defense against future hackers.