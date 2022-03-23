A malicious Android app focused on stealing Facebook passwords claimed at least 100,000 victims on the Google Play Store. The plague was disguised as an image-editing app, capable of cartooning users’ photos, but it displayed a fake login screen where the social network’s credentials are sent to servers under the criminals’ control.

Data entry was cited as essential for the user to enjoy the “complete experience” of the application. Behind, according to an alert published by the security company Pradeo, was FaceStealer, embedded in an app that “borrows” functions from an online service, but in a way that effectively delivers an edited image, which allowed it to pass the verification. from Google for publication on the official Android store.

While the user’s credentials are sent to the criminals, the image to be altered goes through the Photo Fun Editor, available for free on the web, where a simple cartoon filter is applied and the result is displayed in the app. If it were a legitimate application, this dynamic alone would be enough to raise alerts, after all, it involves sending the user’s photos to third parties without authorization or express notice.

Other elements draw attention to the danger, such as the increasing amount of negative comments and the developer himself, listed with an email from Gmail but named Google Commerce. This is yet another attempt to go unnoticed and give the software an appearance of legitimacy, which also has a simple website, hosted on the Blogspot platform.

Application that turned photos into cartoons displayed fake Facebook login screen, in addition to “outsourcing” function to third-party online editor (Image: Reproduction / Pradeo)

The sharing of images, in itself, did not bring additional risks to third parties or to the user himself. Likewise, the app did not ask for permissions that could lead to further exploits, functioning as a simple password stealer. FaceStealer, behind the fake app, is relatively new, yet its features are widely known.

According to Pradeo, Google was informed about the presence of the malicious app in the Play Store. As of this writing, the software is no longer available for download. The recommendation is that users who have downloaded the app remove the app from their cell phones immediately and change their Facebook password to prevent account intrusions.

For the rest, the recommendation is to be careful when downloading applications, giving preference to known software and developers. A search is often enough to find certified tools, with a good number of downloads and comments. Still, the ideal is to avoid downloading software from outside the official Android marketplaces or from your cell phone manufacturer.

Source: Pradeo