Despite the seemingly unstoppable wave of cyberattacks that should teach users to improve their defenses against, not all internet users learn from their mistakes. Some people recycle the same login credentials across different apps and services. Using the same username, email, and password on multiple sites might be convenient. You only have to remember those details, and then you can log into all the sites you need to. But that’s what hackers count on. That’s why they want to steal your Facebook password, hoping they’ll be able to hack into more sensitive accounts using those credentials.
Researchers discovered that nine Android apps that got more than 5.8 million combined downloads from the Google Play store. The apps included malicious code that allowed hackers to steal Facebook passwords.
A report from Dr. Web (via ArsTechnica) explains that the apps in question looked like legitimate apps. They offered basic photo editing features to mask their malicious purpose. But the developers used the apps to steal Facebook passwords.
Google is aware of the problem, and the apps are no longer available from the Google Play store. But that doesn’t do much for users who had already downloaded and installed any of them.
Facebook password hacked; what next?
The attackers came up with a clever way to steal Facebook credentials. They told users they could eliminate ads simply by logging into their Facebook accounts. Unsuspecting users might have signed in without thinking twice. Using Facebook to log into apps is part of the internet experience, after all.
That’s how the hackers stole the Facebook passwords:
These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.
If you use the same username/password combination for Facebook and other online apps, you should consider changing all of them. An attacker with access to your Facebook credentials might try the same combination for your email, internet banking, and online stores. They could do some serious damage with that information. That’s why each app and service must have its own password.
If you have downloaded one of the nine apps below, you should consider changing your Facebook password immediately. Then do the same with every other service where you’ve recycled the Facebook credentials.
You should also check your Facebook account for fraudulent activity and do the same with other online accounts that have the same username and password.
The malicious Android apps
Dr. Web identified all the apps that included malicious code capable of stealing Facebook passwords. It’s unclear how many Facebook users were impacted, but the discovery shows that attackers might employ similar attacks to steal logins from other websites.
Google removing the apps from the Play Store isn’t enough to protect you. You should delete any of the following apps from your devices right away:
- PIP Photo: more than 5.8 million downloads
- Processing Photo: more than 500,000 downloads
- Rubbish Cleaner: more than 100,000 downloads
- Inwell Fitness: more than 100,000 downloads
- Horoscope Daily: more than 100,000 downloads
- App Lock Keep: more than 50,000 downloads
- Lockit Master: more than 5,000 downloads
- Horoscope Pi: 1,000 downloads
- App Lock Manager: 10 downloads
Furthermore, using an anti-virus solution for your Android smartphone or tablet might also help.
