Security News > 2021 > July > Android Apps with 5.8 million Installs Caught Stealing Users' Facebook Passwords
Google intervened to remove nine Android apps downloaded more than 5.8 million times from the company's Play Store after the apps were caught furtively stealing users' Facebook login credentials.
"The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With that, to access all of the apps' functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts," researchers from Dr. Web said.
"The advertisements inside some of the apps were indeed present, and this maneuver was intended to further encourage Android device owners to perform the required actions."
The offending apps masked their malicious intent by disguising as photo-editing, optimizer, fitness, and astrology programs, only to trick victims into logging into their Facebook accounts and hijack the entered credentials via a piece of JavaScript code received from an adversary-controlled server.
While this specific campaign appears to have set its sights on Facebook accounts, Dr. Web researchers cautioned that this attack could have been easily expanded to load the login page of any legitimate web platform with the goal of stealing logins and passwords from a variety of services.
The development is yet another reminder that users are better off served by installing apps from known and trusted developers, not to mention watch out for permissions requested by the apps and pay attention to other user reviews prior to installation.