According to a report by the Russian security solutions publisher Doctor Web, a dozen Android applications had the hidden objective of stealing Facebook credentials (username and password). Of these, nine were available on Google Play.

The total number of installations exceeded 5.8 million. ” The apps were fully functional, which was believed to weaken the vigilance of potential victims. […] To access all app functions, and to allegedly turn off in-app advertising, users were asked to log into their Facebook accounts.

Doctor Web researchers explain that a legitimate Facebook login page was loaded in WebView which allows an application to directly display web content with the renderer. With recent versions of Android, Chrome acts as the WebView system.

In the same WebView, JavaScript code was received from a command and control server. This script was used for the hijacking of the identifiers entered and with the theft of cookies for an authorized session.

doctor-web-app-google-play-trojan-theft-identifiers-facebook

Among the most downloaded Trojan horse apps is a PIP Photo image editing app with over 5 million downloads alone. The other apps were called Processing Photo, Rubbish Cleaner, Horoscope Daily, Inwell Fitness, App Lock Keep, Lockit Master, Horoscope Pi, and App Lock Manager.

Google cleaned up the Play Store and app developers were banned. The fact remains that before alert, the number of accumulated downloads is not negligible.