These Malware-Laced Android Apps Are Probably Stealing Your Facebook Password

Facebook Android
Hopefully you are not one of the millions of people who have installed an app called PIP Photo onto your Android device. Why is that? While it may seem like a harmless and handy image editing app, it contains malware designed to covertly swipe a person's login credential for Facebook. Same goes for a handful of other Android apps.

Each of the nine malicious apps discovered by researchers at Doctor Web contain a trojan that gets to work trying to trick users into coughing up their Facebook usernames and passwords. What makes the apps potentially effective is that they otherwise work as intended and expected.

"The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With that, to access all of the apps’ functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts. The advertisements inside some of the apps were indeed present, and this maneuver was intended to further encourage Android device owners to perform the required actions," Doctor Web explains.

As part of the clever guise, a popup would appear encouraging users to log into their Facebook accounts to remove in-app advertisements. Even more tricky, filling in the Facebook form would indeed log users into their Facebook accounts, so there would be little reason to think they have just been duped into forking over their credentials to a malicious actor.

Here are the affected apps...

Malicious Android Apps
Click to Enlarge

The good news is, Google has banished the above apps from the Google Play. However, before that happened, they had collectively been installed more than 5.8 million times on Android devices. Most of those installs came from PIP Photo, which notched 5 million downloads, the but the others racked up some big numbers as well.

This is how it breaks down...
  • App Lock Keep: 50,000+ installs
  • App Lock Manager: 10+ installs
  • Horoscope Daily: 100,000+ installs
  • Horoscope Pi: 1,000+ installs
  • Inwell Fitness: 100,000+ installs
  • Lockit Master: 5,000+ installs
  • PIP Photo: 5,000,000+ installs
  • Processing Photo: 500,000+ installs
  • Rubbish Cleaner: 100,000+ installs
App Lock Manager ranks as the least prominent of the bunch, though several of the others have been downloaded and installed more than 100,000 times.

As always, the recommendation is to stick with established app stores when downloading and installing programs, which obviously is still not enough to remain 100 percent protected from this sort of thing (since each of these were, for a time, available in Google Play). Also check out user reviews of any potential apps, and be wary of what type of permissions an app asks for.

You need to be watchful of updates as well. Earlier this year, we wrote about an called Barcode Scanner by Lavabird LTD, which amassed millions of downloads through several years in Google Play. That was all fine dandy, until the developer went down a nefarious path and updated the app with malware, which started bombarding users with pop-up ads.