Nine apps with 5.8 million downloads kicked from Google Play store for stealing Facebook passwords

We’re often told to be careful when it comes to sideloading apps from outside of the Play Store, but the marketplace has seen its fair share of malicious applications. Joining the list are nine apps that Google has just removed for stealing users’ Facebook login details. The worrying part is that they were downloaded more than 5.8 million times.

Dr. Web (via Ars Technica) reports that, like many malicious apps, these performed their advertised functions, such as photo editing, exercise and training, horoscopes, and removing junk files from a phone. They also offered a way to disable their in-app ads by logging into a user’s Facebook account.

The trojans loaded real Facebook login pages with fields for usernames and passwords, but they also loaded JavaScript received from the C&C server into the same WebView. This script was used to hijack login credentials, which were then passed through the app and to the command server. The apps could also steal cookies from the authorization session.

Five malware variants hidden within the apps were identified, all of which used the same JavaScript code and configuration file formats to steal user data.

Most of the 5.8 million downloads were from an app called PIP Photo. This was followed by Processing Photo, which had more than 500,000 downloads. Rubbish Cleaner, Inwell Fitness, and Horoscope Daily all had over 100,000 downloads.

A Google spokesman says the apps have now been removed from the store, and the developers have been banned from submitting any new apps—though they could always submit under a different name.

Back in 2019, malware was discovered in a Google Play app with over 100 million downloads. We’ve also seen several other examples of malicious apps sneaking their way onto the store.