The findings come from French cybersecurity firm Evina which also revealed that the 25 malicious apps were masqueraded as image editors, wallpaper apps, flashlight, apps, games, and were all created by the same developer. All apps worked the same way despite promising different functionalities. Some of them had been available on Google Play Store for more than a year before they were removed.
How many times were the apps downloaded? Apparently, more than 2.34 million times which makes the number of potential victims quite big. All apps contained malicious code that detected recently opened apps on targeted devices as well as apps running in the foreground.
The apps were stealing Facebook credentials
In case the malicious code detected that the Facebook app was running, the malicious app would overlay a web browser window on top of the official app to load a fake Facebook login page. In case the user is tricked by the malicious overlay and entered his credentials, the malicious app would harvest the data and send it to a remote server at a specific location.
The good news is that the researchers reported the 25 apps they found were containing the malicious code at the end of May. Google has already removed them. It is noteworthy that when Google removes malicious applications from its app store, it also disables the apps on users’ devices and notifies users via the Play Protect service.
Here’s a list of the apps provided by Evina researchers:
In 2017, Kaspersky discovered 85 apps that were infected with malware designed to steal passwords for social networks. Obtained passwords could have been used in various malicious scenarios, including account takeovers and distribution of the so-called Facebook viruses.