Because of its large user base, Facebook is often targeted by cybercriminals who use the platform to spread scams and deliver malware. The latest such campaign, dubbed Fakeapp, involves a new Android malware strain that is phishing for Facebook login credentials.
Once these credentials are obtained, the malware can collect account information as well as results from the Facebook mobile app’s search functionality.
The Fakeapp malware was recently detected by Symantec researchers who said that the app is being spread via malicious apps targeting English-speaking users on third-party app stores.
How Does Fakeapp Android Malware Function?
Android applications infected with the malware become concealed from the device’s home screen. In the meantime, a service is started in the background of the Android system which initiates a spoofed Facebook login user interface.
This is done so that the victim’s login credentials for the social platform are harvested. Fakeapp is persistent in this behavior as the spoofed login is displayed periodically to users until they type in their credentials for Facebook.
In a nutshell, the malware’s activities are as it follows:
- The malware checks for a target Facebook account by submitting the International Mobile Equipment Identity (IMEI) to the command and control (C&C) server.
- If no account can be collected, the malware verifies that the app is installed on the device.
- The malware then launches a spoofed Facebook login user interface (UI) to steal user credentials.
- The malware periodically displays this login UI until credentials are successfully collected.
Besides harvesting the login credentials and sending them to the hackers’ server, the Fakeapp malware is immediately using the login details on the compromised device. This behavior is not typical for the average Android Trojan seen so far.
According to Symantec, the malware shows a certain level of sophistication, especially in the functionality that crawls the Facebook page.
“The crawler has the ability to use the search functionality on Facebook and collect the results. Additionally, to harvest information that is shown using dynamic web techniques, the crawler will scroll the page and pull content via Ajax calls,“ Symantec explained.
As already mentioned, the behavior of Fakeapp is unique for Android malware, especially because no malicious activities are performed to directly monetize the malware. This fact perhaps means that the malware is a form of spyware that is currently establishing a database of compromised accounts to be used in further malicious operations.