Skip to main content

Google boots nine apps from the Play Store for stealing Facebook passwords

Google Play Store Moto Hero
Google Play Store Moto Hero (Image credit: Chris Wedel/Android Central)

What you need to know

  • Google has taken down nine apps from the Play Store for stealing users' Facebook login credentials.
  • The apps succeeded in tricking users by loading the legitimate Facebook sign-in page.
  • They were downloaded over 5.8 million times from the Play Store.

Google has removed nine apps from the Play Store after Doctor Web's researchers found that they were actually trojans stealing users' Facebook passwords. The list includes Processing Photo, App Lock Keep, Rubbish Cleaner, Horoscope Daily, Horoscope Pi, App Lock Manager, Lockit Master, Inwell Fitness, and PIP Photo. The developers of these apps have also been banned for violating Google's Play Store policies.

Processing Photo was the most popular of the nine apps and was downloaded over 500,000 times. All of the apps tricked users by prompting them to log into their Facebook accounts to disable in-app ads. Once the user agreed, the apps would load the legitimate Facebook login form into WebView and highjack the login credentials using a JavaScript code received from the command server. The JavaScript code would then pass the stolen login and password to the trojan apps, which then transferred it to the command server along with cookies from the current authorization session.

While Doctor Web's analysts found that the apps received settings for stealing login credentials of Facebook accounts, they may have easily changed the trojans' settings to load the web page of other legitimate online services.

The apps used an earlier modification spread to the best Android phones through the Google Play Store using an image editing app called EditorPhotoPip. Even though the app was pulled from the Play Store, it is still available on some Android app aggregator websites. This is the reason why you should never install apps from unknown sources outside of the Play Store. Even when downloading apps from the Play Store, make sure you pay attention to user reviews before installing an app, no matter how popular it might be.

Babu Mohan
Babu Mohan
  • Stealing? The users GAVE away their info. I'm amazed that anyone would choose to login to ANYTHING other than FB with their FB account info.
  • According to the article, people were logging in to the official Facebook page, their credentials were harvested through a JavaScript code injection attack.
  • Playstore is a cesspool for malware. This is a recurring theme for Google
  • The Play Store is pretty secure now but nothing is 100% secure including the App Store on iOS.
  • I only download apps I really really want and I never download ones I've never heard of. Google does a pretty good job of weeding out the bad guys but one never knows. I know people who have like 50 or 60 downloaded apps and games. Crazy. I have maybe 12.
  • Keep the number of downloaded apps on my device to a minimum. Only what I need in my day-to-day use and nothing else. If I can I use the mobile site (link attached to the homescreen...looks like an app), I prefer to do that. Also run Play Protect pretty regularly. It's not foolproof, but it helps. Google Play and the App Store maybe secure or not...but a lot of this stuff also depends on people and their own behaviour. There is plenty of information available outhere for the average consumer to be reasonably well informed when it comes to basic privacy and safety, especially regarding app usage. The days when one had to maintain a multitude of apps on their device is long gone. Unless one chooses to. Most devices today even prompt users to delete apps that are not used frequently or for a certain stretch of time. If you still have five different fart apps on your device...well that's on you.