A new report sheds some light on an extensive fake Android app campaign that distributes the Facestealer spyware.
New Campaign of Fake Android Apps Delivers Facestealer Spyware
First documented in July 2021, the malware is designed to steal logins and passwords for Facebook accounts, and is spread via fraudulent apps on Google Play. Stolen credentials are a serious security issue, as they can enable hackers to perform a variety of malicious actions, including phishing campaigns, fake posting, and dropping ad bots.
It is also noteworthy that Facestealer is similar to another mobile malware sample, called Joker. This type of malware is usually distributed via innocent-looking apps, which end up on thousands of devices. In the case of Facestealer, the apps are more than 200, including fitness, photo editing, VPN, etc. For example, let’s take the Daily Fitness OL app.
How does an infection with Daily Fitness OL take place?
Upon launching, the app sends a request to hxxps://sufen168[.]space/config to download its encrypted configuration. At the time of Trend Micro’s analysis, the returned configuration was the following:
`eXyJkIjowLCJleHQxIjoiNSw1LDAsMiwwIiwiZXh0MiI6IiIsImkiOjAsImlkIjoiMTE1NTYzNDk2MTkxMjE3MiIsImwiOjAsImxvZ2luX3BpY191cmxfc3dpdGNoIjowLCJsciI6IjcwIn0`
After decryption, the real configuration was changed to:
{“d”:0,”ext1″:”5,5,0,2,0″,”ext2″:””,”i”:0,”id”:”1155634961912172″,”l”:0,”login_pic_url_switch”:0,”lr”:”70″}
“The “l” in the configuration is the flag used to control whether a prompt appears to ask the user to log in to Facebook. Once the user logs in to Facebook, the app launches a WebView (an embeddable browser) to load a URL, for example, hxxps://touch[.]facebook[.]com/home[.]php?sk=h_nor, from the downloaded configuration. A piece of JavaScript code is then injected into the loaded webpage to steal the credentials entered by the user,” the report explained.
Once the user logs into their account, the app collects the cookie, the spyware encrypts all the available personally identifiable information, and sends it back to the remote server.
The other fraudulent apps share a similar behavioral pattern.
In a nutshell, Facestealer apps are cleverly disguised as simple tools for Android devices, making them look useful to users. What is troublesome is that, due to the way Facebook runs its cookie management policy, the researchers fear that these types of apps will continue to plague the Play store.
To avoid downloading such a dangerous app, make sure to check its reviews. “Users should also apply due diligence to the developers and publishers of these apps, so that they can better avoid apps with dodgy websites or sketchy publishers, especially given the number of alternatives on the app store,” Trend Micro added.
Other examples of mobile malware targeting Android users include the SharkBot Android trojan, the GriftHorse trojan, and the ERMAC banker.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: