Por causa de sua grande base de usuários, O Facebook costuma ser o alvo de cibercriminosos que usam a plataforma para espalhar golpes e distribuir malware. A última campanha desse tipo, apelidado de Fakeapp, involves a new Android malware strain that is phishing for Facebook login credentials.
Once these credentials are obtained, the malware can collect account information as well as results from the Facebook mobile app’s search functionality.
The Fakeapp malware was recently detected by Symantec pesquisadores who said that the app is being spread via malicious apps targeting English-speaking users on third-party app stores.
How Does Fakeapp Android Malware Function?
Android applications infected with the malware become concealed from the device’s home screen. Enquanto isso, a service is started in the background of the Android system which initiates a spoofed Facebook login user interface.
This is done so that the victim’s login credentials for the social platform are harvested. Fakeapp is persistent in this behavior as the spoofed login is displayed periodically to users until they type in their credentials for Facebook.
Em poucas palavras, the malware’s activities are as it follows:
- The malware checks for a target Facebook account by submitting the International Mobile Equipment Identity (IMEI) ao comando e controle (C&C) servidor.
- If no account can be collected, the malware verifies that the app is installed on the device.
- The malware then launches a spoofed Facebook login user interface (UI) to steal user credentials.
- The malware periodically displays this login UI until credentials are successfully collected.
Besides harvesting the login credentials and sending them to the hackers’ server, the Fakeapp malware is immediately using the login details on the compromised device. This behavior is not typical for the average Android Trojan seen so far.
De acordo com a Symantec, the malware shows a certain level of sophistication, especially in the functionality that crawls the Facebook page.
“The crawler has the ability to use the search functionality on Facebook and collect the results. Além disso, to harvest information that is shown using dynamic web techniques, the crawler will scroll the page and pull content via Ajax calls,“ Symantec explained.
Como já mencionado, the behavior of Fakeapp is unique for Android malware, especially because no malicious activities are performed to directly monetize the malware. This fact perhaps means that the malware is a form of spyware that is currently establishing a database of compromised accounts to be used in further malicious operations.