Click to Skip Ad
Closing in...

These 9 Android apps might have stolen your Facebook password

July 3rd, 2021 at 2:04 PM
Facebook Password

Despite the seemingly unstoppable wave of cyberattacks that should teach users to improve their defenses against, not all internet users learn from their mistakes. Some people recycle the same login credentials across different apps and services. Using the same username, email, and password on multiple sites might be convenient. You only have to remember those details, and then you can log into all the sites you need to. But that’s what hackers count on. That’s why they want to steal your Facebook password, hoping they’ll be able to hack into more sensitive accounts using those credentials.

Researchers discovered that nine Android apps that got more than 5.8 million combined downloads from the Google Play store. The apps  included malicious code that allowed hackers to steal Facebook passwords.

Today's Top Deal Amazon just kicked off a massive new sale — see all the best deals right here! Price:See Today's Deals! Buy Now Available from Amazon, BGR may receive a commission Available from Amazon BGR may receive a commission

A report from Dr. Web (via ArsTechnica) explains that the apps in question looked like legitimate apps. They offered basic photo editing features to mask their malicious purpose. But the developers used the apps to steal Facebook passwords.

Google is aware of the problem, and the apps are no longer available from the Google Play store. But that doesn’t do much for users who had already downloaded and installed any of them.

Facebook password hacked; what next?

The attackers came up with a clever way to steal Facebook credentials. They told users they could eliminate ads simply by logging into their Facebook accounts. Unsuspecting users might have signed in without thinking twice. Using Facebook to log into apps is part of the internet experience, after all.

That’s how the hackers stole the Facebook passwords:

These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.

If you use the same username/password combination for Facebook and other online apps, you should consider changing all of them. An attacker with access to your Facebook credentials might try the same combination for your email, internet banking, and online stores. They could do some serious damage with that information. That’s why each app and service must have its own password.

If you have downloaded one of the nine apps below, you should consider changing your Facebook password immediately. Then do the same with every other service where you’ve recycled the Facebook credentials.

You should also check your Facebook account for fraudulent activity and do the same with other online accounts that have the same username and password.

Facebook Password Hack
These 9 Android apps contain malicious code that can steal Facebook passwords. Image source: Dr. Web

The malicious Android apps

Dr. Web identified all the apps that included malicious code capable of stealing Facebook passwords. It’s unclear how many Facebook users were impacted, but the discovery shows that attackers might employ similar attacks to steal logins from other websites.

Google removing the apps from the Play Store isn’t enough to protect you. You should delete any of the following apps from your devices right away:

  • PIP Photo: more than 5.8 million downloads
  • Processing Photo: more than 500,000 downloads
  • Rubbish Cleaner: more than 100,000 downloads
  • Inwell Fitness: more than 100,000 downloads
  • Horoscope Daily: more than 100,000 downloads
  • App Lock Keep: more than 50,000 downloads
  • Lockit Master: more than 5,000 downloads
  • Horoscope Pi: 1,000 downloads
  • App Lock Manager: 10 downloads

Furthermore, using an anti-virus solution for your Android smartphone or tablet might also help.

Today's Top Deal Luxurious bed sheets with 100,000 5-star Amazon reviews start at just $22 in this amazing sale! List Price:$27.99 Price:$22.39 You Save:$5.60 (20%) Buy Now Available from Amazon, BGR may receive a commission Available from Amazon BGR may receive a commission

Chris Smith started writing about gadgets as a hobby, and before he knew it he was sharing his views on tech stuff with readers around the world. Whenever he's not writing about gadgets he miserably fails to stay away from them, although he desperately tries. But that's not necessarily a bad thing.




Popular News