Researchers from Dr. Web have found nine apps with more than 5.8 million combined downloads that were sneakily stealing user’s Facebook passwords using a genuine Facebook login page. As of writing, Google has banned the developer and removed these nine apps from the Play Store, but if you’ve downloaded any of them, it’s time to change your passwords.
According to the researchers at Dr. Web, the developer, chikumburahamilton, created fully functional apps for photo editing, exercising, horoscopes, and junk cleaning (among others). After a point, these apps would prompt users to log in using Facebook to unlock the full functionality of the app.
When users did that, the app would kick in their own C&C server (a Command-and-Control server controlled by the developer used to copy and store data from a webpage). After receiving the settings from the C&C server, the app loaded then loaded the legitimate Facebook login page.
Then, the app loaded the JavaScript received from the C&C server into the Facebook login page (JavaScript code is versatile and can be inserted at any point, even when a user just taps on a text field). This Javascript code was then used to copy the username and password.
The JavaScript then passed the copied data to the application, which in turn passed it to the app’s C&C server, where it was saved. Once the user logged in to the application, the app also stole cookies from the current authorized session, which were in turn sent to cybercriminals.
In this instance, the apps only used Facebook’s genuine login page. But because of the way JavaScript and C&C servers work, they could have easily done this with any service requiring you to log in.
The first thing you should do is to check if you were running one of these nine apps:
PIP Photo
Processing Photo
Rubbish Cleaner
Inwell Fitness
Horoscope Daily
App Lock Keep
Lockit Master
Horoscope Pi
App lock Manager
If you have any of these apps installed, the first step is to uninstall the application.
Then, if you used Facebook login with the app, you need to reset your password immediately.
Next, stay vigilant. Use a trusted anti-virus application like Malwarebytes to detect apps with malicious code. If possible, avoid connecting third-party services like Facebook with random apps downloaded from the Play Store. Because of the way Play Store works, it’s trivially easy for developers to reenter and resubmit apps even after they are taken down (a developer license only costs $25).
Lastly, turn on two-factor authentication for any site that allows it, and pair it with a password manager. This will help you generate and store long passwords securely. And even if a website leak reveals your password, two-factor authentication will protect you from hackers.
[Ars Technica]
The latest update for Edge Chromium, version 88, is finally rolling out. This version adds many new features to the Windows and macOS versions of the
This year was supposed to be better than last year, but apparently 2021 didn’t get the memo. The world is still just as tumultuous, and we’re all stil
If you, like many people, have found yourself in front of the TV more in the past year than ever before, you’re not alone. And thanks to new extension
When you can’t hear anything from your YouTube videos—either nothing at all, or that which was once loud is now way too soft—the last thing you should
If you’ve ever run a large Facebook group, you know the toll that spam, trolls, off-topic posts, or other conversation-killing problems can take on ma
Battery health is important, right? After all, our portable devices depend on them. These days, though, it’s actually not worth stressing about their
There’s a lot going on in iOS 15 and iPadOS 15, from small features like Background Sounds to banner features like FaceTime SharePlay. But the one fea
Apple’s big iPhone update, iOS 15, is chock full of fun features. We’ve highlighted 36 we find particularly interesting or useful. But it’s not for ev
We are a comprehensive and trusted information platform dedicated to delivering high-quality content across a wide range of topics, including society, technology, business, health, culture, and entertainment.
From breaking news to in-depth reports, we adhere to the principles of accuracy and diverse perspectives, helping readers find clarity and reliability in today’s fast-paced information landscape.
Our goal is to be a dependable source of knowledge for every reader—making information not only accessible but truly trustworthy. Looking ahead, we will continue to enhance our content and services, connecting the world and delivering value.
