Google-Play-Store|Dr.Web list

Android apps caught stealing Facebook credentials

Security researchers from Russian antivirus maker Dr.Web have discovered nine Android applications hosted on the official Google Play Store that contained functionality to steal Facebook account credentials.

In a report last week, the security firm said it reported the apps to Google, which removed them from the store after confirming the malicious behavior.

According to the security firm's investigation, the apps had been downloaded more than 5.8 million times before being yanked offline.

App nameDeveloper nameDownload count
Processing Photochikumburahamilton500,000
App Lock KeepSheralaw Rence50,000
App Lock ManagerImplummet col10
Lockit MasterEnali mchicolo5,000
Rubbish CleanerSNT.rbcl100,000
Horoscope DailyHscopeDaily momo100,000
Horoscope PiTalleyr Shauna1,000
Inwell FitnessReuben Germaine100,000
PIP PhotoLillians5,000,000


While similar incidents have happened before, Dr.Web said these nine apps stood out because of the novel method they used to collect Facebook credentials.

While most apps try to show a fake Facebook login screen on top of the legitimate Facebook app, these nine actually used Facebook's legitimate login page, as detailed before:

  • All apps contained legitimate functionality but with a heavy dose of ads.
  • Users were told that they could remove ads by connecting their Facebook account.
  • Users who chose to do so were redirected to the real Facebook login page, loaded inside a WebView minimal browser component.
  • Since the malware was control of the WebView component, the attackers also loaded malicious code that siphoned the user's login credentials right from the legitimate Facebook login page.

Users who think they downloaded any of the apps listed above are advised to change their account credentials as soon as possible, as their accounts could be abused to send spam or run illicit advertising campaigns on Facebook, a tactic for which Facebook sued four Vietnamese Android app developers last week.

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

No previous article
No new articles