Android password-stealing malware infects 100,000 Google Play users

A malicious Android app that steals Facebook credentials has been installed over 100,000 times via the Google Play Store, with the app still available to download.

The Android malware is disguised as a cartoonifier app called ‘Craftsart Cartoon Photo Tools,’ allowing users to upload an image and convert it into a cartoon rendering.

Over the past week, security researchers and mobile security firm Pradeo discovered that the Android app includes a trojan called ‘FaceStealer,’ which displays a Facebook login screen that requires users to log in before using the app.

App requesting the user to login on Facebook
App requesting the user to login on Facebook (Pradeo)

According to Jamf security researcher Michal Rajčanwhen users enter their credentials, the app will send them to a command and control server at zutuu[.]info [VirusTotal]which the attackers can then collect.

In addition to the C2 server, the malicious Android app will connect to www.dozenorms[.]club URL [VirusTotal] where further data is sent, and which has been used in the past to promote other malicious FaceStealer Android apps.

Sending data to dozenorms[.]club server
Sending data to dozenorms[.]club server
Source: BleepingComputer

As Pradeo explains in its report, the author and distributor of these apps appear to have automated the repackaging process and inject a small piece of malicious code into an otherwise legitimate app.

This helps the apps get through the Play Store vetting procedure without raising any red flags. As soon as the user opens it, they are not given any actual functionality unless they log in to their Facebook account.

However, once they log in, the app will provide limited functionality by uploading a specified image to the online editor, http://color.photofuneditor.com/, which will apply a graphics filter to the picture.

This new image will then be displayed in the app, where it can be downloaded by the user or sent to friends.

As many apps unnecessarily require users to log in to a server, in many cases Facebook, users have become numb to these login prompts and more commonly input their credentials without suspicion.

Signs of trouble

As popular and fun as these cartoonifier apps may be, people should be extra selective when installing software that requires them to input sensitive information such as biometric data (images of their faces).

These apps perform the image alterations and apply filters on a remote server, not locally on the device, so your data is uploaded to a remote location and is at risk of being kept indefinitely, shared with others, resold, etc.

Since the particular app is still on the Play Store, one may automatically assume that the Android app is trustworthy. But unfortunately, malicious Android apps sometimes sneak into the Google Play Store and remain until they are detected from bad reviews or discovered by security companies.

However, it is possible to spot scammy and malicious apps in many cases by looking at their reviews on Google Play.

As you can see below, the user reviews for ‘Craftsart Cartoon Photo Tools’ are overwhelmingly negative, totaling a score of only 1.7 stars out of a possible five. Furthermore, many of these reviews warn that the app has limited functionality and requires you to sign in to Facebook first.

User reviews on the Play Store
User reviews on the Play Store

Secondly, the developer’s name is ‘Google Commerce Ltd’, which indicates it is developed by Google. Also, the listed contact details include a random person’s Gmail email address, which is a big red flag.

App details on the Play Store
App details on the Play Store

We have visited the developer’s page, hosted on Blogspot, to read the project’s privacy policy, and we found a different email address there, so there’s even a mismatch.

The security clause of the app's privacy policy
The security clause of the app’s privacy policy

Finally, we tried sending an email to the author for a comment on the claims made by Pradeo, but one of the addresses doesn’t even exist.

Listed email address doesn't exist
Listed email address doesn’t exist

This may seem like excessive scrutiny for each app you install on your smartphone, but it should be the standard procedure for inherently risky apps.

Pradeo has informed Google of the nature of the Craftsart Cartoon Photo Tools app, and Bleeping Computer has also sent a message to the Play Store team, so Google should remove it shortly.

However, those who have the app installed on their devices should remove it immediately, reset their Facebook accounts, and enable two-factor authentication for additional protection.

Leave a Comment