A new report sheds some light on an extensive fake Android app campaign that distributes the Facestealer spyware.
New Campaign of Fake Android Apps Delivers Facestealer Spyware
First documented in July 2021, the malware is designed to steal logins and passwords for Facebook accounts, and is spread via fraudulent apps on Google Play. Stolen credentials are a serious security issue, as they can enable hackers to perform a variety of malicious actions, including phishing campaigns, fake posting, and dropping ad bots.
It is also noteworthy that Facestealer is similar to another mobile malware sample, called Joker. This type of malware is usually distributed via innocent-looking apps, which end up on thousands of devices. In the case of Facestealer, the apps are more than 200, including fitness, photo editing, VPN, etc. For example, let’s take the Daily Fitness OL app.
How does an infection with Daily Fitness OL take place?
Upon launching, the app sends a request to hxxps://sufen168[.]space/config to download its encrypted configuration. At the time of Trend Micro’s analysis, the returned configuration was the following:
After decryption, the real configuration was changed to:
Once the user logs into their account, the app collects the cookie, the spyware encrypts all the available personally identifiable information, and sends it back to the remote server.
The other fraudulent apps share a similar behavioral pattern.
In a nutshell, Facestealer apps are cleverly disguised as simple tools for Android devices, making them look useful to users. What is troublesome is that, due to the way Facebook runs its cookie management policy, the researchers fear that these types of apps will continue to plague the Play store.
To avoid downloading such a dangerous app, make sure to check its reviews. “Users should also apply due diligence to the developers and publishers of these apps, so that they can better avoid apps with dodgy websites or sketchy publishers, especially given the number of alternatives on the app store,” Trend Micro added.