Nine disreputable android apps were found to be attempting to steal users' Facebook passwords.
The nine Facebook phishing trojanized apps have been removed from the Google Play Store, but presumably not from users' devices. One of them, called PIP Photo, was downloaded more than 5 million times. The other apps did not come close to that number, but together they were downloaded about 800,000 times.
If you have downloaded or installed any of these nine Android apps, you need to remove them. Go to Settings > Apps & Notifications > View All Apps (your phone may be a little different) and click on the list of each suspicious app to uninstall.
You should also assume that your Facebook account has been compromised; change your Facebook password, log out of Facebook on all devices and clear session cookies. Then you can log in again.
If you are using the same email address and password for other accounts, you need to assume that they have also been compromised. Change your password each time using a unique password. (You never want to repeat passwords for important accounts.) Then log out of those accounts on all devices and log back in on any device.
Additionally, a 10th app that steals Facebook passwords was previously removed from Google Play and was found to still be available on the "offload" app market:
Many Android apps have the same name, so we removed the correct one We want to make sure we are removing the correct one. From the Apps page under Settings, click Details > App Details. Clicking on "App Details" will take you to the Google Play apps page, where you will see the developer name (above) or a list of those that have been removed.
If you see the deleted list, you know that Google has removed the app from Google Play. Go back to the list of apps in the settings and uninstall it. If the developer name matches the one shown in the list above, uninstall the app in this case as well.
These password-stealing apps were discovered by Russian antivirus company Dr. Web, and Dr. Web posted a report on these apps last week; Dr. Web stated that all of these apps were "fully functional" and that users were willing running the apps, indicating that they probably were unaware that anything fishy was going on behind the scenes.
What these apps had in common was that they all displayed a large number of ads. Many apps allow users to log in via Facebook or Google to avoid having to create a new account each time, a process that should be secure.
In these cases, it was not. Even though the apps were displaying the real Facebook third-party login page, they were injecting code behind the scenes that logged Facebook credentials as the user entered them.
This code also stole Facebook session tokens that kept people logged into Facebook for an extended period of time. There is no end to how stolen Facebook accounts can be misused.
This is already pretty bad, but Dr. Web reports that it could have been worse, and indeed it might be.
"Attackers could easily change the Trojan's settings and command it to load a web page from another legitimate service. They could even use a completely fake login form from a phishing site. Thus, the Trojan could be used to steal login names and passwords from any service.
All of these apps have disappeared from Google Play, but are still available in third-party app stores. In general, avoid downloading apps from the "offload" marketplace; Google Play is not perfect - one reason why you should run one of the best Android antivirus apps - but unregulated app stores are much safer than the Wild West.
Comments