Facebook Password Stealing Malware Infiltrates Google Play And Infects 100K Android Devices

facestealer app
An Android trojan dubbed Facestealer swipes Facebook credentials after infecting 100K Android users. The trojan gets embedded into unsuspecting user devices after downloading the application Craftsart Cartoon Photo Tools and the malware proceeds to make connections to a Russian server.

The Facestealer trojan is buried in a cartoonifier app called 'Craftsart Cartoon Photo Tools', which allows users to upload an image and then convert it to a cartoonish image. These types of apps are not unusual and are fairly popular, which is why the malware was able to infect so many devices (100K Android users).

Michal Rajcan, ThreatLabs Researcher at Jamf, tweeted last week about the threat. In his tweet he provided the package name, com.craftstoon.cartoonphoto, along with the contacted suspicious site, dozenorms(.)club.

tweet facestealer
Rajcan followed up his initial tweet by adding that the app would first present a screen with a Facebook login prompt that redirects to a real Facebook login page. Once the credentials are used, the app then directed them to a command and control server at zutuu(.)info (VirusTotal), at which point the attackers can collect the inputted information, effectively stealing a user's Facebook credentials. Along with the C2 server, the app would also connect to www.dozenorm(.)club URL (VirusTotal) where more data would be collected.

Pradeo stated in its report, the author and distrubutor of apps like this appear to automate the repackaging process and inject a small piece of malicious code into an otherwise genuine app. This process helps apps get through the Play Store vetting procedure without causing any concern. It forces users to first login into their Facebook account, before actually giving any functionality. Pradeo also added that the Play Store has removed the app as of today.

The app maintains a false air of legitimacy after logging into Facebook by uploading a specified image to the online editor, color.photofuneditor.com, which will then apply a filter to the picture. The updated image will then be displayed in the app, where the user can download it, or share with friends.

While apps like these are fun to use, users need to be extremely cautious when any app asks for login credentials for other apps, such as Facebook. Once a malicious javascript is injected onto your device, it can be used to steal your login credentials, email address, IP address, and more.

President Joe Biden issued a dire warning Monday morning to American business leaders, instructing them to strengthen their companies' cyber defenses immediately. The warning comes in the wake of Russia's attack on Ukraine and Russian President Vladimir Putin being likely to use cyber attacks as a form of retaliation against the United States for its sanctions against the country and its leaders. While the Facestealer trojan is not directed at a company, the warning from the President is a good reminder to be cautious when downloading any app these days.